* Note: these are the steps to install gentoo(unstable(~amd64), hardened, no-multilib, with btrfs on lvm on luks on sda3, with /boot on btrfs (no lvm here) on luks, bootable by grub but prompted for /boot luks password before grub menu appears) on my real lenovo laptop Z575 (so, not virtualbox! but this originated as a copy of 5gentoo_vm_hardened.wofl);
* Legend:
  \ indicates additional info/description
  \ //comment; indicates old obsolete comment left there to give you an idea of what was tried/happened.
  - indicates disabled item, do not do;
  * indicates enabled item, for you to do;
* location of this: https://github.com/aoaaxy/gentooskyline/blob/master/texts/6gentoo_real_hardened.wofl
  \ raw: https://raw.githubusercontent.com/zazdxscf/gentooskyline/master/texts/5gentoo_vm_hardened.wofl
  \ the number in front of the filename indicates that's it's a newer iteration and most likely up to date when compared to any previous iteration!
- get the iso
  \ eg. links http://gentoo.mirrors.easynews.com/linux/gentoo/releases/amd64/autobuilds/current-admincd-amd64/
  * download
    - this doesn't work(gets robots.txt and stuff) wget -r --level=1 -nd -A 'admincd-amd64-201*.iso' http://gentoo.mirrors.easynews.com/linux/gentoo/releases/amd64/autobuilds/current-admincd-amd64/
    * wget http://mirrors.xservers.ro/gentoo/releases/amd64/autobuilds/current-stage3-amd64-hardened+nomultilib/admincd-amd64-20150820.iso.DIGESTS.asc
      \ or: de-mirror.org
    * wget http://mirrors.xservers.ro/gentoo/releases/amd64/autobuilds/current-stage3-amd64-hardened+nomultilib/admincd-amd64-20150820.iso
  * verify integrity
    * gpg2 --verify admincd-amd64-2015*.iso.DIGESTS.asc
      \ gpg: keyserver option 'include-disabled' is unknown
      \ gpg: Signature made Fri 14 Aug 2015 03:30:29 AM CEST using RSA key ID 2D182910
      \ gpg: Good signature from "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" [ultimate]
      * gpg --fingerprint 2D182910
      \ gpg: keyserver option 'include-disabled' is unknown
      \ pub   rsa4096/2D182910 2009-08-25 [expires: 2015-08-24]
      \       Key fingerprint = 13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E 2D18 2910
      \       uid       [ultimate] Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>
    * sha512sum -c admincd-amd64-2015*.iso.DIGESTS.asc
      \ first one is OK:
      \ admincd-amd64-20150813.iso: OK
- put iso on usb (if you plan on booting from it on a real computer - not for virtualbox!!)
  * overwrite(thus lose!) everything on the usb stick, by writing the iso on the entire device(eg. sde, not on some partition like sde1)
    \ partition is also lost this way! *doh*
    * time sudo dd if=admincd-amd64-20150813.iso of=/dev/sde bs=6M
      \ 1m42s
    * sudo blockdev --rereadpt /dev/sde
      \ force kernel to re-read partition, so lsblk shows correct data
      \ $ lsblk
      \ ...
      \ sde                         259:917504  1  14.7G  0 disk  
      \ └─sde1                      259:589824  1   374M  0 part  
    * create a small partition to put some needed config files and patches
      * sudo cfdisk /dev/sde
      - time sudo mkfs.btrfs /dev/sde2
        \ 6.3s
        \ ok I don't have btrfs on my host right now, will go ext4
      * time sudo mkfs.ext4 /dev/sde2
        \ 44s
      * mkdir -p -- ~/here
      * sudo mount /dev/sde2 here
      * sudo cp --archive -- ~/rsync ~/here
        \ the ~/rsync folder is a folder where rsync pulled some gentoo stuff from my other gentoo-in-virtualbox tests thus far.
      * sudo cp --archive -- ~/build/amdmsrtweaker-lnx ~/here
      * sudo umount here
      * sudo eject /dev/sde
- make virtualbox VM
  * create new virtual machine
    * linux
    * gentoo (64bit)
  * set 10G RAM
    \ 10240 MB
    \ any less than 8G and it would affect having /var/portage compiling firefox! (basically I chose 10G for firefox!)
  * HDD vdi 80G  dynamic!! (never use: fixed)  - ok trying fixed this time to see if it has any effect on compile speed (actually I've used 29G last time, which were btrfs lzo compressed nicely to 20G, so I should consider larger size! there won't be enough space to compile chromium!)
    \ so use dynamic here to avoid writing all gigs at the start
    \ click to browse where to put it (for my case)
  * in System:
    * remove floppy from System
    * in Processor tab:
      * set 4 cores
      * enable PAE/NX in System->Processor
    * other defaults are:
      * Motherboard tab
        \ Boot order: CD/DVD(aka Optical) and HardDisk
        \ Chipset: PIIX3
        \ Pointing Device: USB Tablet
        \ Extended Features:
          \ ticked Enable I/O APIC
          \ no efi (unticked)
          \ ticked Hardware Clock in UTC Time
      * Acceleration tab
        \ Paravirtualization interface: Default  (this appears in virtualbox 5)
        \ enable VT-x/AMD-V
        \ enable Nested Paging
  * in Storage:
    * add the ISO on the Empty CD below Controller: IDE
      \ //install-amd64-minimal-20141204.iso
      \ //admincd-amd64-20150319.iso
      \ admincd-amd64-20150813.iso
      * don't tick live cd/dvd
    * click Controller: SATA and enable: Use Host I/O Cache
    * set HDD to be SSD (aka nonrotational)
      * tick Solid-state Drive on the device below Controller: SATA
      * don't tick Hot-pluggable (vbox 5)
      - to get discard to work (if your .vdi is dynamic!!) which will resize your dynamic .vdi harddisk file but this means lots of writes will happen during resizing(on the host!).
        - click OK
        - exit virtualbox, close window, and make sure there wasn't any other window open(maybe other running virtualboxes are ok)
        - edit .vbox file(it's in the folder with the same name as the name you gave to this virtualbox when you created it) search for nonrotational and add next to it:
          \ discard="true"
          \ XXX: this will shrink dynamic/fixed (yes either! tested! virtualbox 4.3.20) .vdi file when TRIM happens inside guest OS - this means lots of writes on the host though - so don't use this, unless you lack space and you're not on a SSD(on host)
          \ without this, hdparm -I /dev/sda  doesn't report TRIM as supported inside guest OS
          \ setting this to true will hurt you if you lvremove root volume even though it cost nothing to create it, the .vdi is 12G now, but after lvremove it will write 12G to get it down to like 200MB let's say. So for this reason, do not use discard! not using discard might cost only SSD write amplification because .vdi will never shrink; well whatever.
        - ok set discard="false"  for now! because we don't want the overhead of shrinking!!!
        - start virtualbox
    * optional: add another SSD to be used for ccache that you can detach later if you want to use it in another virtual machine! this will speed up the compilation times because it's using ccache! (even tho it has no effect for when using gentoo normal and then gentoo hardened for example)
  * in Audio:
    * Enable Audio
      * Host Audio Driver: PulseAudio
      * Audio Controller: ICH AC97
    * close all virtualbox instances or something, so that you can:
    * edit its corresponding *.vbox file, to
    * remove: codec="AD1980"  or else you can't hear(on host) the pulseaudio sound that works well inside guest
      \ +      <AudioAdapter controller="AC97" driver="Pulse" enabled="true"/>
      \ -      <AudioAdapter controller="AC97" codec="AD1980" driver="Pulse" enabled="true"/>
  * in Network:
    * set Adapter 1, Attached to: NAT   (this is set by default)
      \ we'll use dhcp IPs given by virtualbox eg. 10.0.2.15
    * note that adapter type is: Intel PRO/1000 MT Desktop (82540EM)
    - set Adapter 1, Attached to: Bridged Adapter
      \ XXX: the problem with this is that it requires my physical router be connected on my LAN in order for my ssh to virtualbox VM sessions to work (they use the LAN IPs) ie. unplugging LAN cable will freeze all ssh sessions and they time out after a few mins.
  * Serial Ports (to see dmesg on kernel oops/panics)
    * Port 1
      \ COM1, IRQ 4, I/O 0x3F8
      \ Port Mode: RAW File
      \ Port File Path: /tmp/gentoovmnormal3_80g_com1.txt
      - in kernel cmdline of the guest OS(so, later!) add: DONE: move this below!
        \ console=tty1,ttyS0,115200n8 earlyprintk=vga,serial,ttyS0,115200,keep
        \ ^ that isn't working! (because there was an earlier: console=tty1 earlyprintk=vga) - just make sure there are no other occurrences of console= and earlyprintk=
        \ //but this is:
        \ //console=ttyS0,115200n8,tty1 earlyprintk=serial,ttyS0,115200,keep,vga
        \ //^ works but ttyS0 is console and tty1 is NOT! so can't input luks password for example.
        \ DONE: Well you can increase the speed actually, to: 115200  or maybe more, haven't tested with anything other than 9600
        \ for some reason 115200 is slow! possibly just like 9600 or slower!,, actually I can't tell the difference, maybe 115200 is faster than 9600 or same? but it should be visible!!!
        \ takes lots of minutes to boot! keep it disabled!
* see howtos -> build your own admincd iso, since that's what we're using to install this!
* install gentoo
  * boot from custom made liveCD(instructions are in this same file you're reading from) using no boot params when prompted:
    \ #SECONDBOOT (secondboot=things you need to do if you need to boot from CD again because booting after install failed or you took a break)
    * to view this file (from your custom iso)
      * cd ~ && mkdir here && mount /dev/sde2 here
      * vim here/6gentoo_real_hardened.wofl
    - gentoo-nofb ipv6.disable=1 nodhcp
      \ XXX: gentoo-nofb is required or else it will lockup with the normal fb one when loading modules! unless using admincd.iso which seems to be working!
      \ XXX: nodhcp so you don't have to pkill dhcpcd due to some bug (but still have to stop it due to another bug; yes ifconfig shows it still got loaded and you got yourself an IP - tested inside virtualbox)
      \ noipv6 is needed for gpg trying to access keyserver via ipv6 addresses
      \ there's no such option: noipv6
      \ use ipv6.disable=1  instead
    - /etc/init.d/rpcbind stop
      \ this kills listening rpcbind (on eg. port 111 and others, nfs related )
    - setup networking (only when NOT using NAT in virtualbox, so do this when using Bridged)
      * /etc/init.d/dhcpcd stop
        \ this works if you use nodhcp above
      * pkill dhcpcd
        \ needed if you didn't use nodhcp above
        \ https://bugs.gentoo.org/show_bug.cgi?id=526934#c2
      * fix net-setup first(on the 2014 iso, no newer one yet): https://bugs.gentoo.org/show_bug.cgi?id=536432
        \ yep this still needs to be fixed!!! with the admincd of 9 april 2015
        \ can't modify the file on the spot, read-only file system!
        * cp `which net-setup` .
        * nano -w net-setup   (vim exists on admincd so... vim net-setup +119 )
          \ alt+g, 119, enter
          \ End key, add the  \ 
          \ Ctrl+O, enter, Ctrl+X
        * run it as ./net-setup enp0s3
          \ to use the one in current directory which we fixed!
      * net-setup enp0s3
        \ or use ifconfig to get the interface name to pass.
        \ use different IP here than what you'd use inside chroot setting up networking! (to allow different ssh fingerprints)
        \ for DNS use 8.8.8.8 (or better yet, since the google one lagged lately, use opendns: 208.67.222.222 ) and set search to none(press enter) or *
      * vim /etc/resolv.conf
        \ nameserver 208.67.222.222
        \ nameserver 208.67.220.220
        \ #nameserver 192.168.1.1
    - pkill dhcpcd
      \ it's not even emerged anymore
    * see if net works  #SECONDBOOT
      * ping google.com
        \ to see it works
    - start using ssh to facilitate copy/paste operations
      * passwd
        \ to set a root password
      * /etc/init.d/sshd start
      * how to now connect from host
        \ if you ssh for second boot, you'll need to rm the line from your host's ~/.ssh/known_hosts or else you can't ssh due to WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! #SECONDBOOT vim ~/.ssh/known_hosts
        - ssh root@192.168.0.1  if used Bridged
          \ it's the IP that you set in net-setup above
        * ssh ... if using NAT
          - this requires you have similar IP on host - NOPE, this is not the way, guest is under NAT afterall
            \ add it: sudo ip addr add 10.0.2.200/24 dev net0
            \ see it: ip addr   <- to see effect (not ifconfig -v)
            \ remove it: sudo ip addr del 10.0.2.200/24 dev net0
          * you need to forward port 22
            \ http://ask.xmodulo.com/access-nat-guest-from-host-virtualbox.html
            * ifconfig
              \ see what's the ip of the guest OS
              \ 10.0.2.15
            * Machine->Settings->Network->Port Forwarding (button)
              \ Name: sshd
              \ Protocol: TCP
              \ Host IP: 127.0.0.111
              \ Host Port: 8822
              \ ^ (any unused port higher than 1024) unless u're running virtualbox as root(don't!)
              \ Guest IP: 10.0.2.15
              \ Guest Port: 22
          * ssh -v -p 8822 127.0.0.111 -l root
    - start this inside vm:
      * setterm --blank 0
        \ to avoid blanking the screen after a few mins
      * dmesg -w
      \ and watch for segfaults (apparently cc1plus likes to do that - 3 times so far)
      \ note that you are using ssh terminal now, so putting this inside vm window is ok (or in another ssh session, non-chrooted)
    * partition disk
      \ when booting from cardreader(/usbstick too?) sda is 80G and sdb is 1TB but the 80G is where the dvd-rw was (I mean physically, inside this laptop). Use that lsblk to verify! (74.3G and 931.5G)
      * lsblk
      * blkdiscard --verbose -- /dev/sdb
        \ --secure doesn't work: blkdiscard: /dev/sdb: BLKSECDISCARD ioctl failed: Operation not supported
        \ /dev/sdb: Discarded 1000204886016 bytes from the offset 0
      * blockdev --rereadpt /dev/sdb
        \ aka sfdisk -R
      * lsblk
        \ sdb    259:786432  0 931.5G  0 disk
      * parted -a optimal /dev/sdb
        * mktable gpt
          \ mklabel=mktable  but mktable is more intuitive
          \ note: destroys all existing partitions (data is lost)
        * unit mib
        * creating the partitions
          \ src: https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Disks#Creating_the_partitions
          - FIXME: make it inside lvm(is that even possible?) TODO: try/test if works to make a swap partition at the beginning here just in case an accidental dd overwrites the entire device
            * mkpart primary 1 32769
              \ 32gig + 1 meg = 32gig partition
              \ do twice the RAM + 1 meg that we skipped
              \ this on bare metal.
            - mkpart primary 1 16385
              \ 16gig+1meg
            * name 1 swap_on_luks_part
            * set 1 swap on
              \ does this even work??
            * print
            * FIXME: adjust sizes accordingly
          * make a 2MB grub bios partition that will be used by the GRUB2 boot loader later
            * mkpart primary 1 5
              \ that's a 4MB one, 5-1=4
              \ note: a 1 3 aka 2 meg one is enough though!
            * name 1 gruby
            * set 1 bios_grub on
            * print
          - when /boot isn't inside LVM
            - make boot
              * mkpart primary 3 131
              * name 2 booty
            - make swap
              * mkpart primary 131 643
              * name 3 swap
            - make root
              * mkpart primary 131 7000
                \ using a 12G hdd
              - mkpart primary 643 -1
              * name 3 rootfs
              - name 4 rootfs
            - make boot partition bootable (apparently needed only for UEFI?)
              * set 2 booty on
          - make LVM (with /boot inside lvm, grub can boot from this)
            * mkpart primary 3 -1
            * set 2 lvm on
            * name 2 lvmall
          * make LUKS partition for /bewt
            \ done: do I need to set lvm flag here? even though lvm is inside luks? - nope
            - mkpart primary 5 1029
            * mkpart primary 5 4101
              \ those kernels are cummulating...
            * name 2 booty
            - no: maybe set this to root or hidden flag (currently no flag is set) - i dno, this doesn't seem needed
              \ set 2 root on
              \ or
              \ set 2 hidden on
            - XXX: OK, so if partition is GPT(so protective MBR has the partition type set to EE aka GPT; and this boot partition we're making is in fact inside GPT so not seen here in protective MBR) then this Lenovo Z575 BIOS will not boot from it (probably because it's expecting something like a fat32 partition inside the GPT? or something GPT related!)
              \ tested by changing partition type(of the only partition from protective MBR) with fdisk, from EE to 8E(linux lvm) [83 aka Linux, same effect; also tried: EF which is "EFI(FAT-12/16/" - same]
              \ sudo fdisk -t dos /dev/sdb
              \ ^ with that command from Manjaro.('cause it boots faster than from usbstick(which does in 3m40s))
              \ but GRUB says it cannot find that cryptodisk!! which may be so because it cannot see it's a GPT at all anymore, due to the partition type ID change!
              \ so now what I could do, is teach GRUB that some other partition type is in fact GPT so it treats it as it would if it were of type EE(aka GPT), and this way it could find the cryptodisk; and at the same type being of non-EE type, then this Z575 BIOS won't get confused and not boot from it at all! OH but wait! this means a lot of other programs (even the kernel) I'd have to patch to see partition type 10 (let's say; which is OPUS) as EE (which is GPT), so not just GRUB! So, others might include LVM, grub2, kernel, cryptsetup.
              \ done: see if bootable flag is actually needed at all! XXX: If bootable flag on the protective MBR is unset then my BIOS ignores that disk and doesn't try to boot from it! Just the same as it does with if the partition is (bootable and) set to GPT(0xEE)
              \ MBR sector layout and partition table offsets: https://en.wikipedia.org/wiki/Master_boot_record#Sector_layout
              \ XXX: ok so here's the deal: z575 bios ignores non-bootable(marked) partitions AND bootable 0xEE(aka GPT type) partitions: so the fix is simple! add new dummy bootable-marked 0x10(OPUS, for example) type partition which has startsector/endsector/startCHS/endCHS all 0('cause why bother, since it works this way - tested).
            - make MBR active (NEEDED for bare metal BIOS to see the whole disk as bootable, or else it just skips it and tries next hdd if any)
              - disk_set pmbr_boot on
                \ (GPT) - this flag enables the boot flag on the GPT’s protective MBR partition.
                * fdisk -t dos -l /dev/sdb
                  \ to verify
                  \ Device     Boot Start        End    Sectors   Size Id Type
                  \ /dev/sdb1  *        1 1953525167 1953525167 931.5G ee GPT
                  \ NOW we're talkin'!
                  \ XXX: Oh man, it still doesn't boot! Thanks Lenovo! :)  (did remove the other (GPT)flags though)
              - recompute CHS values for the enttries in the protective MBR
                \ src: http://www.rodsbooks.com/gdisk/bios.html#bios
                * sgdisk --recompute-chs /dev/sdb
                  \ before:
                  \ /dev/sdb1  *        1 1953525167 1953525167 931.5G ee GPT
                  \ --
                  \ Geometry: 255 heads, 63 sectors/track, 121601 cylinders
                  \ Units: cylinders of 16065 * 512 = 8225280 bytes
                  \ Sector size (logical/physical): 512 bytes / 512 bytes
                  \ /dev/sdb1  *        1 121602    121602 931.5G ee GPT
                  \ after: 
                  \ /dev/sdb1  *        1 1953525167 1953525167 931.5G ee GPT
                  \ --
                  \ Geometry: 255 heads, 63 sectors/track, 121601 cylinders
                  \ Units: cylinders of 16065 * 512 = 8225280 bytes
                  \ Sector size (logical/physical): 512 bytes / 512 bytes
                  \ /dev/sdb1  *        1 121602    121602 931.5G ee GPT
                  \ --- hmm, apparently no effect BUT! man sgdisk says:
                  \ the GPT specification requires a CHS value of 0xFFFFFF for over-8GiB partitions, but  this  value  is technically  illegal by the usual standards. Some BIOSes hang if they encounter this value. This option  will  recompute  a  more normal  CHS value -- 0xFEFFFF for over-8GiB partitions, enabling these BIOSes to boot.
                  \ XXX: this has had no effect!
              - set 2 boot on
                \ it added: boot and esp flags! (looks like esp is: EFI System Partition (ESP), which is where an EFI stores its boot loaders. Some EFIs use the presence of an ESP as a clue to favor EFI-mode booting, and so such a partition can interfere with BIOS/CSM/legacy-mode booting. src: http://www.rodsbooks.com/gdisk/bios.html#bios )  LOOKS like I cannot only boot flag on the booty GPT partition! well, anyway they were both off!
                \ NOPE it doesn't boot still! and I even tried legacy_boot flag on top of those! same effect!
                \ must be because it's a gpt partition? or it's a grub issue? but for some reason it tries to go graphical (apparently!) but then switches back when it boots from the other(80G) SSD eventually.
                * print
                  \  2      5243kB  4300MB  4295MB               booty  boot, esp
          * make LUKS partition for /
            \ this is so we can use different passwords - one at grub menu for mounting /bewt and one for kernel when it wants to mount /
            - mkpart primary 1029 -1
            * mkpart primary 4101 -500GiB
              \ leave exactly 500 gigabytes free space!
            - mkpart primary 1029 998G
              \ should've probably been GiB not G because: now Size: 950740MiB
            * name 3 lucky
          - make root partition (/boot is on it too)
            \ this if you don't need lvm or luks (see 4*.wofl file)
            * mkpart primary 5 -1
            * name 2 allin1
          * print
          * q
        * use hexedit/dd to add a new dummy partition which will be used to trick Z575 BIOS into booting from this disk. (REQUIRED!)
          \ without this, you won't be able to boot from this (GPT partition containing) disk!! this BIOS just skips over it.
          * dd if=/dev/sdb of=sdb.mbr bs=512 count=1
            \ make a copy of the MBR as is now, into a file
          * hexedit sdb.mbr
            * ensure the GPT partition(of this protective MBR) which is the first and only partition, is in fact not marked active! (this would be bad!)
              \ press Enter
              \ type: 1be
              \ that value should get you to the first (of 16) byte of the first partition which should be 00 (or 80 if it's marked active! shouldn't be tho! so if it is, type 00 there) - if it's any other value(than 00 or 80) then you're in the wrong location!! don't change shiet!
              \ what you see(16 bytes from where you are):
              \                                              00 00
              \ 01 00 EE FF  FF FF 01 00  00 00 AF 6D  70 74
            * copy this first partition as the second via hexedit copy/paste
              \ press Ctrl+Space to start marking
              \ //go 15 bytes ahead, the byte you're on now should not be 0 but it could be depending on the end sector number, it's never 0 for my SSD.
              \ or just press Enter then type 1cd  (to go 15 bytes ahead, +1 with the one you're on; so you've selected 16 bytes)
              \ now press Alt+W (or Esc, W) to copy to clipboard(or something) this will auto deselect those 16 bytes
              \ now move one more byte forward, or press Enter and type 1ce  to go to the next partition
              \ paste here by pressing Ctrl+y
            * modify first parition to make it a dummy bootable one
              \ press Enter and type 1be
              \ press 80 here to set partition active!
              \ press 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00
              \ (press those ^ without the spaces!) notice that "10" which means it's of type OPUS (I randomly chose this!)
              \ what you see if you were at 1be after this:
              \                                              80 00
              \ 00 00 10 00  00 00 00 00  00 00 00 00  00 00 00 00
              \ 01 00 EE FF  FF FF 01 00  00 00 AF 6D  70 74 00 00
              \ That 00 01 00 is CHS start, the EE is partition type (0xEE is GPT; above is 10 for OPUS, that's for the first partition which is 16 bytes above) then the FFFFFF is what GPT sets for CHS end, then 01000000 is start sector(1), then AF6D7074 is 1953525167(decimal) aka 74706DAF hexa which is the end sector number.
              \ /dev/sdb2           1 1953525167 1953525167 931.5G ee GPT
            * exit and save
              \ press Ctrl+X and press y when asked
            * copy entire mbr back to the drive
              \ sudo dd if=./sdb.mbr of=/dev/sdb bs=512 count=1
              \ NOTE: the sudo part is only needed in Manjaro, which is where I'm doing this from right now; when booted from iso, you're already root (and likely don't have sudo, but should have it on next iso iteration because it's in the todo list; anyway don't use sudo from iso, obviously!)
            * make kernel reread partition to ensure it can still see it as GPT
              * sudo blockdev --rereadpt /dev/sdb
              * lsblk
                \ should show all 3 partitions (which are the inside GPT partitions!)
            * observe what fdisk sees now
              * sudo fdisk -t dos /dev/sdb  -l
                \ Disk /dev/sdb: 931.5 GiB, 1000204886016 bytes, 1953525168 sectors
                \ ...
                \ Device     Boot Start        End    Sectors   Size Id Type
                \ /dev/sdb1  *        0          0          0     0B 10 OPUS
                \ /dev/sdb2           1 1953525167 1953525167 931.5G ee GPT
              * for kicks, enter fdisk to verify
                * sudo fdisk -t dos /dev/sdb
                  \ type p
                  \ type v
                  \ notice no complaints/errors!
                  \ if you swap the partitions, while it still boots ok(if I remember right) fdisk will complain here at the verify step(that v)
    * create filesystems
      * LUKS
        * create
          * cryptsetup --verbose --verify-passphrase luksFormat --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 541 --use-random -- /dev/sdb2
            \ XXX: iter-time reduced from 5401 to 541 (10 times less; miliseconds) 'cause I don't really care! I care more about not wasting 5.4 seconds waiting here :)
            \ to later change the password: cryptsetup --verbose --verify-passphrase --iter-time 502 luksChangeKey /dev/sda2   (note the crappy iter-time used this time around!)
            \ uppercase YES or else: Command failed with code 22: Invalid argument
            \ move mouse and press keys inside the VM (not ssh session) - unsure if mouse has any effect, or maybe just very little
            \ getting this error after 100% key generation:
            \ device-mapper: remove ioctl on temporary-cryptsetup-14945 failed: Device or resource busy
            \ Command successful.
            \ Note: cryptsetup: Option --allow-discards is allowed only for open operation.
            \ boot
            \ dmesg: [ 1613.759458] device-mapper: ioctl: unable to remove open device temporary-cryptsetup-14945
            \ some errors happen, probably safe to ignore though:
            \ [ 1389.375462] udevd[14898]: inotify_add_watch(7, /dev/dm-0, 10) failed: No such file or directory
            \ device-mapper: remove ioctl on temporary-cryptsetup-14876 failed: Device or resource busy
            \ Command successful.
          * cryptsetup --verbose --verify-passphrase luksFormat --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 541 --use-random -- /dev/sdb3
            \ root
            \ iter time set to 10 times less aka 541
          - cryptsetup --verbose isLuks /dev/sda2 || echo no
            \ Command successful.
          * cryptsetup --verbose --allow-discards luksOpen /dev/sdb2 luks_on_sda2_boot
            \ #SECONDBOOT DO THIS AFTER LVM BELOW:
            \ it's gonna be sda but it's not sdb, so.... hmm
          * cryptsetup --verbose --allow-discards luksOpen /dev/sdb3 lvm_on_luks_on_sda3_root
            \ #SECONDBOOT DO THIS AFTER LVM BELOW:
        * backup header:
          * mkdir /root/here/luks.headers.backup/
            \ /root/here should exist already; it's where usbstick writable partition(sde2) was mounted!
          * cd /root/here/luks.headers.backup/
          * cryptsetup --verbose luksHeaderBackup /dev/sdb2 --header-backup-file boot.luks.header
          * cryptsetup --verbose luksHeaderBackup /dev/sdb3 --header-backup-file root.luks.header
          * cd
          - now use scp to pull it out of vbox into the host i guess... TODO:
            * on HOST run this:
              \ mkdir luks.headers.backup ; scp -P 8822 -4vp root@127.0.0.20:/root/*.header luks.headers.backup/ ; ls luks.headers.backup/
              \ make sure: debug1: Exit status 0  not 1  (if 1 look above see what failed!)
            * ls -la luks.headers.backup
              \ 2 2meg files
      * LVM
        \ LVM aligns to MiB boundaries and allows discards by default. No special configuration is required. 
        \ src: https://wiki.gentoo.org/wiki/SSD#LVM
        \ also src: https://wiki.gentoo.org/wiki/LVM
        * lvmetad
          * stop lvmetad, before changing discards from 0 to 1
            * /etc/init.d/lvm stop ; /etc/init.d/lvmetad stop
              \ #SECONDBOOT
        * set discards #SECONDBOOT
          * vim /etc/lvm/lvm.conf
            \ (vim is available with our custom admincd*.iso but also on theirs! but not on installcd.iso)
            \ //NOTE: this is the first occurence in this .wofl file in which we're using an editor to edit a file, when using admincd*.iso 'vim' is available, otherwise use 'nano -w' (eg. when using minimalcd*.iso there's no vim)
            * search for issue_d and set:
              \ issue_discards = 1
            - Ctrl+W to search, for: issue_d
              \ issue_discards = 1
            * search for use_lvmetad =   and set:
              \ use_lvmetad = 1
              \ oops, it's already 1 ! for now.
            - Ctrl+W use_lvmetad =
              \ Alt+W to next search (not needed if you include the equals above)
              \ use_lvmetad = 1
            * uncomment: default_data_alignment = 1   <- means 1MB
              \ and below: data_alignment_detection = 1  which means enabled
              \ this one is already uncommented!
        - /etc/init.d/lvmetad stop
          \ to disable the warning:
          \ WARNING: lvmetad is running but disabled. Restart lvmetad before enabling it!
          \ when pvcreate is executed below
          \ --------------
          \ on another note: TODO: maybe we need to stop it and then set use_lvmetad=1 in /etc/lvm/lvm.conf and then start it again
          \ as the lvm.conf says:
          \ XXX: "    # If lvmetad has been running while use_lvmetad was 0, it MUST be stopped
          \ # before changing use_lvmetad to 1 and started again afterwards. "
          \ to read current value of use_lvmetad(which is 0) use this: lvm dumpconfig --type default global/use_lvmetad
          \ yep it's 0
        * start lvmetad (needed for grub, apparently! with luks)
          * /etc/init.d/lvm start
            \ #SECONDBOOT AFTER THIS DO THE cryptsetup luksOpen ABOVE
            \ this starts lvm and lvmetad!
        * create physical volume
          - pvcreate --verbose /dev/sda2
          * pvcreate --verbose /dev/mapper/lvm_on_luks_on_sda3_root
        * check that first extent starts at the right place:
          - pvs /dev/sda2 -o+pe_start --units b
          * pvs /dev/mapper/lvm_on_luks_on_sda3_root -o+pe_start --units b
            \ 1st PE : 1048576B
            \ yep should be 1MiB
            \ src: http://tytso.livejournal.com/2009/02/20/
        * pvdisplay
          \ shows what we did
          \ With the pvdisplay command, an overview of all active physical volumes on the system can be obtained. 
          \   PV Size               427.51 GiB
        * create vg
          \ A volume group (VG) groups a number of physical volumes and show up as /dev/VG_NAME in the device file system. The name of a volume group is chosen by the administrator.
          * vgcreate --verbose vgall /dev/mapper/lvm_on_luks_on_sda3_root
          - vgcreate --verbose vgall /dev/sda2
        * pvdisplay
        * vgdisplay
        * make logical volumes
          \ Logical volumes are the final meta devices which are made available to the system, usually to create file systems on. They are created and managed in volume groups and show up as /dev/VG_NAME/LV_NAME.
          - lvcreate --verbose --discards passdown -L 512M -n bootlvolbackup vgall
          * lvcreate --verbose --size 4096M --name bootlvolbackup vgall
            \ yep M is megabytes (so the man says!)
            \ TODO: make use of this backup to save contents probably before running genkernel?
            \ the boot logical volume backup - where we store a copy of the /dev/sda2 partition i guess
            \ //XXX: there's a --discards passdown but seems to have no effect and is not necessary (only tested on non-luks)
            \ New error(and doesn't create anything!):
            \   --discards is supported only with thins.
            \  Run `lvcreate --help' for more information.
            \ apparently I've to add --thin, well it's more complicated! hmm...
            \ done: removing --discards passdown  for now, to see if discards are passed anyway! it would be messed up if they weren't! I've just gonna drop lvm entirely then! need that trimtest script to test this... ok tested and TRIM works! so, without --discards! still works!
          * lvcreate --verbose --size 32G --name swaplvol vgall
            \ swap device
            \   LV Size                32.00 GiB
          * lvcreate --verbose --extents 100%FREE --name rootlvol vgall
            \   LV Size                391.50 GiB
            \ the root+home device
            \ this is how to remove it(even if not in /dev/mapper/): lvremove /dev/vgall/rootlvol
        * lvdisplay
      * boot
        \ done: see mkfs.btrfs --help  and -A option might be needed to align for SSD ? - apparently not! since the lvm is already aligned, start of device for btrfs making seems okay.
        * mkfs.btrfs --metadata single /dev/mapper/luks_on_sda2_boot
          \ single because ssd, although this isn't needed because it's supposedly detected and set automatically; XXX: maybe not detected when luks (or when no TRIM? supported in .vbox file) yes, definitely not detected when LUKS!! so always specify that --metadata single
          \ oh noes, it's not detected: SSD detected:       no
          \ that's when lvm is on luks and on bare metal.
          \ Performing full device TRIM (4.00GiB) ...
          \ Block group profiles:
          \   Data:             single            8.00MiB
          \   Metadata:         single            8.00MiB
          \   System:           single            4.00MiB
          \ SSD detected:       no
          \ Incompat features:  extref, skinny-metadata
        - mkfs.btrfs --metadata single /dev/vgall/bootlvolbackup  TODO: do we actually mirror the entire partition contents ? or how else would we be able to detect stuff
        - mkfs.btrfs /dev/sda2
          \ btrfs boot 'cause ext2 is too easy
        - mkfs.ext2 /dev/sda2
      * swap
        * time mkswap --check --label swaponlvmonluks /dev/mapper/vgall-swaplvol
          \ we're not playin' here! checking 32GiB for badblocks...
          \ duration: 6m17s
          \ 0 bad pages
          \ LABEL=swaponlvmonluks
          \ The size in chars of the ^ above label is max, any more and it says: "Label was truncated"
          \ Setting up swapspace version 1, size = 32 GiB (34359734272 bytes)
        - swapon /dev/mapper/vgall-swaplvol
          \ not enabling it!
      * root
        * mkfs.btrfs --metadata single /dev/vgall/rootlvol
          \ need to specify --metadata single  because SSD is not detected through LUKS
          \ single because it's SSD, which will be detected as such even when not specified (but just to be sure, I'm specifying it) ; it's not detected due to being inside LUKS! so, yeah good idea for making these kind of defaults explicit, as you can see they can change... defaults are evil because they're implicit and you can thus miss when they change(such as this case)
    * mount filesystems
      - mount -o async,relatime,noauto,rw,suid,dev,exec,nouser,loud,ssd,autodefrag,compress=lzo,datasum,datacow,space_cache,commit=300 /dev/sda2 /mnt/gentoo
        \ when no luks/lvm
      * prereq (not needed now; needed only when luksOpen happens after lvm was already started, eg. after boot from cd)
        \ only if you have rebooted once since creating partitions/filesystems above, then you will get this when trying to mount:
        \ mount: special device /dev/vgall/rootlvol does not exist
        \ so to fix that do this:
        * nano -w /etc/lvm/lvm.conf
          * Ctrl+W to search, for: issue_d
            \ issue_discards = 1
        - /etc/init.d/lvmetad stop
        * lvchange --verbose --activate y --activationmode complete vgall
          \ aka(at genkernel shell, prompt): lvm lvchange --verbose -a y
          \ lvscan <- for searches in this file that you're reading right now
          \ #SECONDBOOT XXX: this is not needed if you did LVM first and then LUKS(cryptsetup luksOpen) above!
      * NOTE: /mnt/gentoo/ already exists even on our custom made iso!
      * mount -o async,relatime,noauto,rw,suid,dev,exec,nouser,loud,ssd,autodefrag,compress=lzo,datasum,datacow,space_cache,commit=300 /dev/vgall/rootlvol /mnt/gentoo
        \ #SECONDBOOT
        \ datasum and datacow are implied if compression is enabled; but nodatasum and/or nodatacow disables all compression. So by specifying datacow and datasum(with compress=lzo) we're just explicitly stating our defaults. Using mount will not show datasum and datacow since they are the default.
        \ XXX: not using: discard option(will use fstrim)
        \ /mnt/gentoo/ already exists
        \ we definitely want relatime instead of noatime ! see: man mount
        \ commit every 5 mins https://wiki.archlinux.org/index.php/Btrfs#Checkpoint_interval
        \ autodefrag Auto   defragmentation
        \ detects  small  random  writes into files and queues them up for
        \ the defrag process.  Works best for small files; not well-suited
        \ for large database workloads.
      * mkdir /mnt/gentoo/bewt
      - mount -o async,relatime,noauto,rw,nosuid,nodev,noexec,nouser,loud,ssd,autodefrag,compress=lzo,datasum,datacow,space_cache,commit=300 /dev/vgall/bootlvol /mnt/gentoo/bewt
        \ //oldTODO: maybe we should try put boot on lvm here ? even though it's lvm on luks already!
      * mount -o async,relatime,noauto,rw,nosuid,nodev,noexec,nouser,loud,ssd,autodefrag,compress=lzo,datasum,datacow,space_cache,commit=300 /dev/mapper/luks_on_sda2_boot /mnt/gentoo/bewt
        \ #SECONDBOOT
        \ XXX: not using: discard  (will use fstrim)
        \ this is just btrfsboot on luks on sda2  (not btrfsboot on lvm on luks on sda2!)
    * copy livecd squashfs contents instead of getting a stage3
      * time cp --archive --verbose --target-directory="/mnt/gentoo/" -- /mnt/livecd/*
        \ this copies the iso's squashfs contents into /mnt/gentoo/ to serve as our stage3
        \ note: there are no . prefixed files/folders in /mnt/livecd/ which would be missed by the above!
        \ duration: 
        \ real    7m21.642s
        \ user    0m4.970s
        \ sys     4m22.800s
      - (in rsync)mkdir -p /mnt/gentoo/etc/lvm && cp -vL /etc/lvm/lvm.conf /mnt/gentoo/etc/lvm/lvm.conf
        \ //NIXME: wait, we need lvm2 installed with hardened uclibc - no more uclibc!! too buggy
        \ but we still need to use this config!
        \ this remembers to use lvmetad (=1) and discards=1
        \ fixed: we might need lvmetad to be used in system (not chroot or installCD modes)
      - download and unpack stage 3 #stage3
        * download stage3
          * links http://mirrors.xservers.ro/gentoo/releases/amd64/autobuilds/20150820/
            \ need these specific ones or rsync will find newer files and refuse to overwrite them due to --update   and you don't want to overwrite the newer ones because who knows what stuff is in there!
            * download the exact following:
              \ by pressing D on file
              \ //stage3-amd64-nomultilib-20150820.tar.bz2.DIGESTS.asc
              \ //stage3-amd64-nomultilib-20150820.tar.bz2
              \ //209MB
          - execute: links http://mirrors.xservers.ro/gentoo/releases/amd64/autobuilds/current-stage3-amd64-hardened+nomultilib/
            \ yes http not https, but it's okay because gpg signed and will be checked later
            \ list of mirrors are at: links http://www.gentoo.org/main/en/mirrors.xml (apparently https won't work with links; works with firefox)
            * download the exact following:
              \ by pressing D on file
              \ stage3-amd64-hardened+nomultilib-20150924.tar.bz2.DIGESTS.asc
              \ stage3-amd64-hardened+nomultilib-20150924.tar.bz2
              \ 211MB
          * exit
            \ q, Enter
        * verify integrity
          * get key
            * gpg --recv-keys 0xBB572E0E2D182910
              \ that created /root/.gnupg/gpg.conf  which is required for the following* to work(or you'll have to specify --keyserver keys.gnupg.net or subkeys.pgp.net  as the first option to gpg, before --recv-keys):
            * gpg --recv-keys 0xBB572E0E2D182910
              \ seems like a good idea to NOT put this in /etc/portage/gpg/ just in case this key gets compromised and used to sign, let's say. On the other hand the keys are probably signed by each other which would ensure higher trust.
          * check key fingerprint
            * gpg --fingerprint
              \ should match with the one here:
              \ https://www.gentoo.org/proj/en/releng/#doc_chap5
              \ 13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E 2D18 2910
              \ ^ copy paste that here in vim after pressing / to see if it finds this one above aka matched!
          * check key sigs
            * gpg --check-sigs
              \ should be 1 bad signature the 2009-08-25 one at the end (sig-3)
              \ 3 good sigs (sig!3)  and 3 not checked!
              \ sig!3  and sig-3 (the latter is the bad one)
              \ "The exclamation mark is only produced on --check-sigs, it's absent on 
              \ --list-sigs so it's an indication that the signature is good. All signatures 
              \ with --check-sigs should have the ! because signatures made by keys not in 
              \ your key ring are excluded.
              \ The digit is the indication of how much verification took place before signing 
              \ - when you sign a key, GnuPG asks you how carefully you verified the key, 3 
              \ is the highest level - very careful checking."
              \ from: http://lists.gnupg.org/pipermail/gnupg-users/2004-July/022910.html
          * check .asc sig
            * gpg --verify *.asc
              \ gpg: Good signature from "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" [unknown]
              \ ...
              \ same key fingerprint from above
          * check sha512sum of the tar
            * sha512sum -c *.asc
            \ first should be OK, second FAILED (because it's whirlpool not sha512)
            \ stage3-amd64-hardened+nomultilib-20150820.tar.bz2: OK
            \ stage3-amd64-hardened+nomultilib-20150820.tar.bz2: FAILED
        * unpack
          * time tar xvjpf stage3-*.tar.bz2
            \ p for preserve attributes(& owner)
            \ real    1m9.554s
            \ user    0m58.283s
            \ sys     0m33.443s
    * cd /mnt/gentoo
      \ #SECONDBOOT
    * (this IS NOT in rsync) add user before rsync-ing:
      - check /etc/skel/.bash_profile if it has the same include line that we added to /root/.bash_profile
        * colordiff -up /etc/skel/.bash_profile /root/.bash_profile
          \ all good
          \ yeah I've colordiff on custom iso!
      * chroot /mnt/gentoo useradd --create-home --groups users,wheel,audio,cdrom,video,usb,portage --shell /bin/bash zazdxscf
      * chroot /mnt/gentoo passwd zazdxscf
    * rsync transfer some files from usbstick (eg. patches, .vimrc etc.)
      \ //true for when getting a stage3 from the internet: this rsync stuff is bad tho; some things shouldn't be rsync-ed like in etc! those conf.d or the gcc-config selection(which is a symlink at least)
      - (already in rsync)run this inside virtualbox:
        * ln -s /home/zazdxscf/patches/portage/ /etc/portage/patches
      * on bare metal, where /root/here/rsync/ is on usbstick mounted
        * pushd /root/here/rsync/
        * chmod +x 0updateFROMusbstickTObaremetalmntgentoo
        * PATH="${PATH}:/root/here/bin/" ./0updateFROMusbstickTObaremetalmntgentoo
          \ path needed for rsyncy command which is there in bin
          \ this script is set to OVERWRITE any newer destination files!! which should be what we wanted here.
        * chmod -x 0updateFROMusbstickTObaremetalmntgentoo
        * popd
        - cd /mnt/gentoo
          \ already here
        * ./2diffdirs
          \ see the differences...
        * realize I need to restore some things for now:
          * vim ./etc/resolv.conf
            \ nameserver 8.8.8.8
          * vim ./etc/ld.so.conf.d/05gcc-x86_64-pc-linux-gnu.conf
            \ remove duplicate entries!
            \ or maybe I shouldn't? because each if from each gcc variant in gcc-config -l
            \ left 2 lines (one for each gcc version)
          * for later: fix hosts, set hostname, fix fstab,
          * restore the net file which had my static IP on the iso, but not in rsync-ed version
            * cp --archive --verbose -- ./rsync-backed/etc/conf.d/net ./etc/conf.d/net
          * restore the newer ca certificates:
            * cp --archive --verbose -- ./rsync-backed/etc/ca-certificates.conf ./etc/ca-certificates.conf
              \ need to copy paste this in 2 parts! (gpm!)
          * TODO: remove virtualbox-guest-additions from default, AFTER having moved squashfs contents to hdd (to serve as stage3) - so right here
            \ rc-update del virtualbox-guest-additions default
            \ I think!
        - clear some things:
          * rm /mnt/gentoo/var/lib/portage/world
            \ this file should be empty on new install!
          * noTODO: gcc-config -l  and need to set the 4.8.5 one which is the only one existing in stage3
          * ok wait, why am I using a stage3 ? I should just copy the ones from the iso!
      - run this on host:
        * cd /home/emacs/rsync/
          \ or cd /home/zazdxscf/rsync/
        * ./0updateTOchroot
          \ run that script... from ~/rsync/ on host!
        - sudo rsync --super --verbose --compress --partial --progress --recursive --links --perms --times --group --owner --no-devices --no-specials --no-hard-links --no-acls --no-xattrs --checksum --delay-updates --max-delete=0 --no-ignore-errors --no-force --numeric-ids --update --info=SYMSAFE,DEL,NAME,SKIP,STATS  --no-munge-links  --preallocate --sparse --one-file-system  --no-prune-empty-dirs  --timeout=60   --rsh="ssh -p 8822 -l root" -- ~/rsync/gentoo/ 127.0.0.111:/mnt/gentoo/
          \ XXX: --no-delete is not recognized, so using --max-delete=0
          \ NOTE: add --update if you don't want newer files inside virtualbox to get overwritten by potentially older ones on the host's side BEFORE doing the above rsync command. We don't want this because when creating the new user the sekl .bashrc will always be newer inside virtualbox, but that's not the one we wanna keep.
    * config Portage
      * gpg validated snapshots
        \ from: https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Pulling_validated_portage_tree_snapshots
        \ Administrators can opt to only update the local portage tree with a cryptographically validated portage tree snapshot as released by the Gentoo infrastructure. This ensures that no rogue rsync mirror is adding unwanted code or packages in the tree that the system is downloading. 
        - (rsynced) mkdir -p /mnt/gentoo/etc/portage/gpg ; chmod 0700 /mnt/gentoo/etc/portage/gpg
        - (rsynced) gpg --homedir /mnt/gentoo/etc/portage/gpg --keyserver subkeys.pgp.net --recv-keys 0xDB6B8C1F96D8BF6D
          \ or keys.gnupg.net
          \ I've to copy/paste the above command in two parts (gpm) else the first part gets run without the --recv-keys one (or I actually didn't copy the --recv one at all! not retested!)
        * gpg --homedir /mnt/gentoo/etc/portage/gpg --fingerprint
          \ DCD0 5B71 EAB9 4199 527F  44AC DB6B 8C1F 96D8 BF6D
          \ pub   4096R/96D8BF6D 2011-11-25 [expires: 2015-11-24]
          \ Key fingerprint = DCD0 5B71 EAB9 4199 527F  44AC DB6B 8C1F 96D8 BF6D
          \ uid       [ unknown] Gentoo Portage Snapshot Signing Key (Automated Signing Key)
          \ sub   4096R/C9189250 2011-11-25 [expires: 2015-11-24]
        * gpg -v --homedir /mnt/gentoo/etc/portage/gpg --check-sigs 0xDB6B8C1F96D8BF6D
          \ gpg: using PGP trust model
          \ gpg: 2 good signatures
          \ 7 signatures not checked due to missing keys
          \ pub   rsa4096/96D8BF6D 2011-11-25 [expires: 2015-11-24]
          \ uid         [ unknown] Gentoo Portage Snapshot Signing Key (Automated Signing Key)
          \ sig!3        96D8BF6D 2011-11-25  Gentoo Portage Snapshot Signing Key (Automated Signing Key)
          \ sub   rsa4096/C9189250 2011-11-25 [expires: 2015-11-24]
          \ sig!         96D8BF6D 2011-11-25  Gentoo Portage Snapshot Signing Key (Automated Signing Key)
        - (rsynced)gpg --homedir /mnt/gentoo/etc/portage/gpg --edit-key 0xDB6B8C1F96D8BF6D trust
          \ 5, enter,y, q, enter
    - (it's good from /mnt/livecd, well it should be next time) copy DNS info
      \ actually this is bad if it comes from virtualbox made iso, because it points to 10.0.2.3 or something like that!
      * cp -L /etc/resolv.conf /mnt/gentoo/etc/
        \ use the -L option to the cp command. This ensures that, if /etc/resolv.conf is a symbolic link, that the link's target file is copied instead of the symbolic link itself. 
    * mount virtual stuffs into chroot
      \ more info: https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Base#Mounting_the_necessary_filesystems
      * make sure portage user id is the same on livecd as on chroot
        * test "$(cat <(chroot /mnt/gentoo/ id portage))" = "$(cat <(id portage))" | echo "identical"
          \ if you see identical, carry on
          \ otherwise see the differences with:
          \ cat <(chroot /mnt/gentoo/ id portage) <(id portage)
          \ you need to use the chroot user id somehow. TODO (maybe)
      * mount -t tmpfs -o rw,nosuid,relatime,nodev,size=90%,mode=1777 tmpfs /mnt/gentoo/tmp/
        \ #SECONDBOOT
        \ //mount -t tmpfs tmpfs /mnt/gentoo/var/tmp/
        \ //OR mount -t tmpfs none /mnt/gentoo/tmp/
        \ XXX: can't really use noexec now can I?!
        \ size=7G because we have 8G RAM (in this current virtualbox VM now) size=90% is the same thing except that when you change ram size in vm this will resize accordingly! very much needed that!
        \ noatime implies nodiratime; but we better use relatime
        \ 1777 that 1 means sticky bit (t) which means (from man chmod):
        \ RESTRICTED DELETION FLAG OR STICKY BIT
        \ The  restricted  deletion  flag  or  sticky  bit is a single bit, whose
        \ interpretation depends on the file type.  For directories, it  prevents
        \ unprivileged  users  from  removing or renaming a file in the directory
        \ unless they  own  the  file  or  the  directory;  this  is  called  the
        \ restricted  deletion  flag  for the directory, and is commonly found on
        \ world-writable directories like /tmp.  For regular files on some  older
        \ systems,  the  bit saves the program's text image on the swap device so
        \ it will load more quickly when run; this is called the sticky bit.
      * mount --rbind /mnt/gentoo/tmp/ /mnt/gentoo/var/tmp/
        \ #SECONDBOOT
        \ have /tmp be accessible from /var/tmp also
      * PORTAGE_TMPDIR can be further restricted
        \ interesting read for portage tmpfs https://wiki.gentoo.org/wiki/Portage_TMPDIR_on_tmpfs
        \ the default portage tmpdir is /var/tmp (can be seen LATER with emerge --info|grep ^PORTAGE_TMPDIR ) but portage does it's magic MOSTLY in /var/tmp/portage (ccache portage stuff is in /var/tmp/ccache another subdir of PORTAGE_TMPDIR)
        - mkdir /mnt/gentoo/var/tmp/portage/
          \ don't worry about mkdir folder attributes here, fstab will override them later on, also the mount below enforces them
          \ unneeded due to x-mount.mkdir
        * mount -t tmpfs -o rw,nosuid,relatime,nodev,size=90%,mode=775,uid=portage,gid=portage,x-mount.mkdir=775 tmpfs /mnt/gentoo/var/tmp/portage/
          \ #SECONDBOOT
      * mount -t proc proc /mnt/gentoo/proc ; mount --rbind /sys /mnt/gentoo/sys ; mount --rbind /dev /mnt/gentoo/dev ; mount --rbind /run /mnt/gentoo/run
        \ #SECONDBOOT
        \ /run is needed for grub to talk to lvmetad
    - (auto applied after webrsync) apply patch that rsync put it (which portage itself cannot apply automatically via euser_patch)
      * cd /mnt/gentoo/
        \ don't put it in usr/portage/eclass/ because webrsync will delete everything in that folder
      * patch -Np1 -i /mnt/gentoo/home/zazdxscf/patches/webrsync/notify_when_patches_folder_inaccessible_by_portage.patch
        \ XXX: this needs to be applied after every successful emerge-webrsync !!!
        \ done: make a script which calls webrsync AND applies this patch afterwards! - done and put in /etc/portage/postsync.d/  aka the hooks that emerge-webrsync executes (if they are set executable)
    * verify make.conf is okay
      - nano -w /mnt/gentoo/etc/portage/make.conf
        \ -w means don't wrap long lines
      * vim /mnt/gentoo/etc/portage/make.conf
        \ I have vim because I'm on admincd and not inside chroot!
        \ for example settings see /mnt/gentoo/usr/share/portage/config/make.conf.example
        * :set paste
        - to see what's already in effect, switch to another terminal(or a new ssh session) and
          \ can't do this yet, only later on inside chroot!
          \ emerge --info | less
        - TODO: XXX: this has NO EFFECT!!! fffs! set EPATCH_SOURCE='/patches' to the /etc/portage/patches folder but a different one! and apply the folder path accordingly in the text you'll be reading below(eg. scp).
          \ also EPATCH_SUFFIX='pech' (instead of 'patch') and rename all files accordingly!
          \ TODO: add .pech to mc's extension list, so it is properly colored
          \ set EPATCH_FORCE='no' and use this form for all patches: ??_${ARCH}_foo.${EPATCH_SUFFIX}
          \ use 'all' for the ${ARCH} part to apply a patch on all architectures (eg. not just amd64)
          \ XXX: note: EVCS_OFFLINE if non-empty prevents any online operations (eg. git pull) - this is what I need when I don't have internet but I want to re-emerge a -9999 package
          \ see more: https://devmanual.gentoo.org/eclass-reference/git-r3.eclass/index.html
          * mkdir -p -- '/patches' && chown root:root /patches && chmod a+rx,a-w,u+w /patches
            \ what you put inside this dir is eg. app-misc/  instead of portage/app-misc/
        * (verify!)replace the USE flags line (Ctrl+K to remove that line): 
          * USE="3dnow 3dnowext X bindist btrfs crypt cryptsetup cscope dbus device-mapper      git gpg gpm gstreamer gtk3 jpeg lock mmx mmxext  mosh-hardening pie   pulseaudio readline session sse sse2 sse3 ssp startup-notification     strong-security -system-cairo system-icu system-jpeg system-libvpx     system-sqlite xcomposite -cdr -cgi -cvs -debug -dvdr -emacs     -firmware-loader -fortran -gnome -ipv6 -java -jit -kde -libssp -mudflap -lua     -luajit -lvm1 -mclib -minimal -network-cron -nls -nopie -nossp -plymouth     qt4 -racket -ruby -samba -static -static-libs -symlink -systemd -tcl     -test -thunar -unicode -vim-pager -wifi -yahoo -filter_audio -libav consolekit policykit extensions -gstreamer -gstreamer-0 egl -gmp-autoupdate -tty-helpers -tcpd popcnt sse4a lm_sensors opus ogg"
          \ -tty-helpers  is something that sys-apps/util-linux-2.26.2  said it did automatically!
          \ online USE flags list+descriptions: https://www.gentoo.org/dyn/use-index.xml#doc_chap1
          \ XXX: libav was default but was switched to ffmpeg(by either not specifying libav or by -libav); we'll try ffmpeg (aka -libav) in next incarnation
          \ there's ufed to show and sort flags! TODO: eventually run ufed to tidy up the flags(eg. sort) which breaks them on multiple lines though.
          \ device-mapper for grub, lvm2 (unsure if needed): "Enable support for device-mapper from sys-fs/lvm2"
          \ XXX: -libssp keep this disabled!
          \ -symlink to not update /usr/src/linux symlink to point to most recent kernel sources installed, this way using `eselect kernel list` and `eselect kernel set 2` is the way to change that symlink
          \ XXX: disabled debug flag because at least vim will create nfa_regexp_{debug,dump,run}.log files in current folder(!) on each vim invocation and append stuff to them. Will enable debug only when needed on a per-package basis.
          \ see: equery uses seamonkey  (after emerge -a app-portage/gentoolkit ) to see all flags used by seamonkey for example.
          \ A full description on the available USE flags can be found on the system in /usr/portage/profiles/use.desc
          \ or this https://www.gentoo.org/dyn/use-index.xml#doc_chap2
          \ switch terminal Alt+F3 (or get a new ssh session), less /mnt/gentoo/usr/portage/profiles/use.desc
          - emerge --info | grep ^USE
            \ to see current (profile's) USE contents
            \ can't do this yet, only later on inside chroot!
        * (verify!)replace the  CFLAGS line with: CFLAGS="-O2 -pipe -march=native -ggdb -fvar-tracking-assignments -fno-omit-frame-pointer -ftrack-macro-expansion=2 -fstack-protector-all -fPIC"
          \ XXX: added -fPIC because lots of packages complain! and ask for -fPIC; it's ridiculous!
          \ XXX: don't use -g3  use -ggdb instead; because "There is actually another flag ( -g3 ), but its use is not recommended. It seems to break binary interfaces and might lead to extra crashes. " src: https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces  see that on how to get stack traces!
          \ XXX: for debug, I have: -g3 -DDEBUG -O1 -fvar-tracking-assignments -fno-omit-frame-pointer -ftrack-macro-expansion=2
          \ not using -fstack-protector-all because since I don't have hardened, then why bother with this puny protection anyway.
          \ XXX: don't use -Wstack-protector because when compiling gcc 5.2.0 that warning happens and it's treated as error and thus fails.
          \ XXX: don't use -DDEBUG or else compiling gnutls and gcc will fail: https://bugs.gentoo.org/show_bug.cgi?id=545316#c12
          \ XXX: -fsanitize=address" can't include this; fails with some -lasanp or something error whateverrrrr
          \ never -O0 , but -O1 is good for gdb, -O2 if you want fast!
          \ TODO: not sure if -ggdb is better than -g3
          \ don't use any extra spaces, it's known to break
          \ XXX: # -fstack-protector-strong  apparently breaks compiler (some ./configure says C compiler cannot generate executables).
          \ More info:
          \ https://wiki.gentoo.org/wiki/GCC_optimization#Introduction
          \ https://gcc.gnu.org/onlinedocs/gcc/Invoking-GCC.html#Invoking-GCC
          \ https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html#Optimize-Options
        * (verify! well ccache is enabled in rsynced...)append this: FEATURES="assume-digests binpkg-logs -buildpkg -buildsyspkg -candy -ccache cgroup -clean-logs collision-protect -compress-build-logs -compress-index -compressdebug config-protect-if-modified -digest -distcc -distcc-pump distlocks downgrade-backup binpkg-multi-instance ebuild-locks -fail-clean fakeroot fixlafiles force-mirror -force-prefix -getbinpkg installsources ipc-sandbox -keeptemp -keepwork -lmirror merge-sync -metadata-transfer -mirror multilib-strict network-sandbox news -noauto -noclean -nodoc -noinfo -noman nostrip -notitles parallel-fetch parallel-install prelink-checksums preserve-libs -protect-owned sandbox sfperms -sign -skiprocheck split-elog split-log -splitdebug strict -stricter -suidctl -test -test-fail-continue -unknown-features-filter unknown-features-warn unmerge-backup unmerge-logs -unmerge-orphans userfetch userpriv usersandbox -usersync webrsync-gpg -xattr"
          \ see all FEATURES flags in man make.conf
          \ these flags save binary packages: buildpkg buildsyspkg downgrade-backup unmerge-backup 
          \ When Portage is run as root, FEATURES="userfetch" will allow Portage to drop root privileges while fetching package sources. This is a small security improvement. 
          \ // didn't add ccache just yet! (Note: ccache command isn't available on livecd(nor in the uncompressed stage3), so we can only add it later on inside chroot) - ccache is available on our custom iso and thus inside /mnt/gentoo/ since we used this iso's squashfs as stage3!
          \ FIXME: removed test due to extra requirements like tcl and other stuff that I don't currently understand; for btrfs-progs  lots of things are needed like X libs corefonts truetype etc.
          \ //FIXME: add back stricter and see what QA_ vars need to be fiddled with, eg. for ncurses to compile. man make.conf
        * append this: PORTAGE_GPG_DIR="/etc/portage/gpg"
        * append this: PORT_LOGDIR="/var/log/portage/ebuild.logs/"
        * append this: PORTAGE_BINHOST=""
          \ to avoid downloading binary packages by emerge --getbinpkg or --getbinpkgonly (or -gK)
        * (fixed: for bare metal)append this: CPU_FLAGS_X86="3dnow 3dnowext mmx mmxext sse sse2 sse3 popcnt sse4a"
          \ that's my cpu flags in virtualbox, for my lenovo z575 laptop cpu is: AMD A6-3400M APU with Radeon(tm) HD Graphics (fam. 18, aka 12h)
          \ to get the updated flags(XXX: but this cannot be done right now):
          \ emerge -1v app-portage/cpuinfo2cpuflags
          \ cpuinfo2cpuflags-x86
          * also add them to USE=  for compatibility (for 1 year) - ALREADY added below
            \ as  eselect news read 9  says
        * append this: ACCEPT_KEYWORDS="~amd64"
          \ to use bleeding egde packages
        - append this: ACCEPT_LICENSE="* -@EULA"
          \ this is the default which can be seen with emerge --info|less
        * append: ACCEPT_LICENSE="-* @FREE"
          \ allow only free software and docs to be installed
          \ src: https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Portage#Licenses
        * append this: INSTALL_MASK="/lib/systemd /lib32/systemd /lib64/systemd /usr/lib/systemd /usr/lib32/systemd /usr/lib64/systemd /etc/systemd"
          \ src: http://gentooexperimental.org/~patrick/weblog/archives/2014-02.html
        * append: USE_PYTHON=2.7
        * append this to use 4 cores when make: MAKEOPTS="-j4"
        - disable rsync because it's insecure and can't verify authenticity, by appending in make.conf the following line: SYNC="rsync://127.0.0.3/"
          \ src: https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Portage#Updating_the_portage_tree
          \ nolonger in effect and we get a warning, at least with current admincd which is 9th july one.
        * grub, append these two lines:
          \ # Standard PC (BIOS)
          \ GRUB_PLATFORMS="pc"
          \ for uefi on amd64 add: efi-64 (not needed in virtualbox)
        * (NEEDed change!) append X stuff:
          \ INPUT_DEVICES="keyboard synaptics evdev" #virtualbox evdev" # synaptics" only on host(not VM) TODO: unsure if vmmouse or even mouse is needed! maybe not needed due to evdev! - apparently not needed, but we'll see on bare metal 
          \ VIDEO_CARDS="radeon" #"virtualbox"  #radeon
        * prepare for ccache later on
          \ add lines:
          \ #this is the default ccache dir, but it's great to state it, in case we wanna change it later, eg. when firefox compilation happens:
          \ CCACHE_SIZE="200G"
          \ 5G seems to be the default if that line doesn't exist
          \ CCACHE_UMASK="0002"
          \ ^ https://bugs.gentoo.org/show_bug.cgi?id=492910
          * choose one, to set ccache into RAM(tmpfs) or on hdd:
            * tmpfs
              \ CCACHE_DIR="/var/tmp/ccache"
              \ CCACHE_SIZE="6G"
              \ i chose this (with virtualbox)
            * hdd (if not in virtualbox)
              \ CCACHE_DIR="/ccache"
              \ CCACHE_SIZE="100G"
        * ensure git-r3 (git3-src) (well, the ebuild command) updates the git source folder with the right permissions to allow ebuild to be ran as normal user(a normal user that's in the portage group, ofc)
          \ EVCS_UMASK="0002"
          * ebuild/emerge will fail with live ebuilds (eg. ebuild somefile.ebuild compile) when ran as normal user, after having been ran as root
            \ workaroundFIX: # chmod -cR g+w /usr/portage/distfiles/git3-src
            \ actual fix: need to run git as portage user, otherwise some files get run as the normal user, thus inheriting its user:group
            \ FIXME: (gentoo issue, well /usr/portage/eclass/git-r3.eclass): this still doesn't solve the problem when running ebuild for the first time as user X and then trying to run as user Y  will fail to update the git folder located at /usr/portage/distfiles/git3-src/ because user X:X owns the folder and others don't have write rights, so Y cannot write. I was thinking of replacing git invocations in git-r3.eclass with su invocations but sudo would be better(except, unlike su, it needs to be already installed) - su is bad because even with --preserve-environment  it will still clear $PATH and $IFS as you can see here:
            \ # echo $PATH ; su -c 'echo "$PATH"' -- emacs
            \ /usr/lib/ccache/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.3
            \ /bin:/usr/bin
            \ workaround: # su -c 'PATH="'"$PATH"'" ; IFS="'"$IFS"'"; echo "$PATH" "$IFS"' --preserve-environment -- emacs
            \ workaround for the user Y situation: # chown -cR portage:portage /usr/portage/distfiles/git3-src
        * save
          \ Ctrl+X, y, enter
        - nano -w /etc/portage/package.use/pambase  (created new file)
          \ add line:
          \ sys-auth/pambase -debug
          \ sys-libs/pam -debug
          - nano -w /etc/portage/package.use  (created new file)
            \ add line:
            \ sys-auth/pambase -debug
        * add a gentoo mirror
          \ by appending this line:
          \ GENTOO_MIRRORS="http://ftp.romnet.org/gentoo/ http://tux.rainside.sk/gentoo/ http://de-mirror.org/gentoo/ http://gd.tuwien.ac.at/opsys/linux/gentoo/ http://www.las.ic.unicamp.br/pub/gentoo/"
          \ in /mnt/gentoo/etc/portage/make.conf
          \ or by running this to manually select mirrors:
          \ mirrorselect -i -o >> /mnt/gentoo/etc/portage/make.conf
          \ or better to get the 3 fastest ones:
          \ time mirrorselect -s3 -D -o   (ok this currently segfaults!)
          \ this takes a long time,
          \ that gives the GENTOO_MIRRORS var on stdout, you need to copy it in make.conf
          \ more info: https://wiki.gentoo.org/wiki/GENTOO_MIRRORS
        - DON"T add a rsync mirror:
          \ mirrorselect -i -r -o >> /mnt/gentoo/etc/portage/make.conf
        * to select a non-rsync mirror:
          \ mirrorselect -i -o >> /mnt/gentoo/etc/portage/make.conf
          \ or just without the redirect to get copy pasting in action
        - (rsynced)mkdir /mnt/gentoo/etc/portage/repos.conf/
        - (rsynced)nano -w /mnt/gentoo/etc/portage/repos.conf/gentoo.conf
          \ this doesn't exist!
          - Comment out the sync-type and sync-uri variables
            \ # sync-type = rsync
            \ # sync-uri = ...
          * write these lines:
            \ [DEFAULT]
            \ main-repo = gentoo
            \
            \ [gentoo]
            \ auto-sync = no
            \ sync-type =
            \ sync-uri =
            \
            \ #XXX: ok, the first two aren't needed, apparently! but just like the next 2 (sync-*) options(which are empty by default) we are making the defaults explicit! in the latter case it means sync-*  disabled! (see: man portage)
            \ #XXX: actually, due to  eselect news read 10  the default for auto-sync is yes! and sync-type can be webrsync but it will warn(when running cpuinfo2cpuflags-x86 at least) if sync-uri is empty! !!! Repository 'gentoo' has sync-type attribute, but is missing sync-uri attribute
        - (rsynced)let's get rid of a warning:
          \ !!! Repository 'x-portage' is missing masters attribute in '/usr/portage/metadata/layout.conf'
          \ !!! Set 'masters = gentoo' in this file for future compatibility
          * mkdir -p /mnt/gentoo/usr/portage/metadata/
          * (rsynced as: "masters =")nano -w /mnt/gentoo/usr/portage/metadata/layout.conf
            \ masters = gentoo
    - (rsynced as enabled because we DO have ccache in our iso as stage3; not have only when inet downloaded stage3)vim /etc/portage/make.conf
      * ensure ccache is disabled, so it's: -ccache
        \ because we don't yet have it installed
    * relax grsec before chrooting!
      * sysctl -w kernel.grsecurity.chroot_deny_mount=0 ; sysctl -w kernel.grsecurity.chroot_deny_chmod=0 ; sysctl -w kernel.grsecurity.chroot_deny_chroot=0 ; sysctl -w kernel.grsecurity.chroot_caps=0 ; sysctl -w kernel.grsecurity.chroot_deny_mknod=0
    * chroot /mnt/gentoo env-update
      \ needed because of all the changes that rsync did, and before actually chroot logging in!
    * chrooting
      - nano -w /mnt/gentoo/root/.bash_profile
        \ [[ -f ~/.bashrc ]] && . ~/.bashrc
        \ note: the bashrc for user zazdxscf will be updated to contain this line automatically when that user is created because of /etc/skel/.bash_profile containing it and it's from package app-shells/bash-4.3_p33-r2
      - nano -w /mnt/gentoo/root/.bashrc
        \ # contents:
        \ shopt -u cdspell
        \ # -1 works for bash 4.3+ not 4.2 (likely due to some readline bug) currently admincd has version 4.33 of bash, so we're good!
        \ # "Numeric values less than  zero  result  in every  command  being  saved  on  the  history  list (there is no limit)":
        \ use this when on livecd and thus bash is 4.2
        \ #export HISTSIZE=9999999
        \ # use this when updated to unstable 4.3 bash:
        \ export HISTSIZE=-1
        \ # "Non-numeric  values  and numeric values less than zero inhibit truncation":
        \ export HISTFILESIZE=${HISTSIZE}
        \ unset HISTCONTROL
        \ unset HISTIGNORE
        \ export HISTTIMEFORMAT='%F %T '
        \ export FUNCNEST=30000
        \ unset GLOBIGNORE
        \ unset EMACS
        \ unset CDPATH
        \ 
      * chroot /mnt/gentoo /bin/bash --login
        \ #CHROOT
        \ #SECONDBOOT unneeded:do this first: cp /etc/mtab /mnt/gentoo/etc/mtab
        \ --login it first reads and executes commands from the file /etc/profile, if that file exists. After  reading that file, it looks for ~/.bash_profile, ~/.bash_login, and ~/.profile, in that order, and reads and executes commands from the first one  that exists  and  is  readable. (see man bash , /INVOCATION)
        \
        \ if you're doing this in existing linux (so not inside virtualbox with livecd/installcd) then the command is:
        \ env -i HOME=$HOME TERM=$TERM chroot /mnt/gentoo /bin/bash
        \ /usr/sbin/env-update
        \ to flush your environment
        \ as per at the end of this article: https://wiki.gentoo.org/wiki/Installation_alternatives#Building_parted_to_resize_partition
      - source /etc/profile 
        \ that bash -l does this
      - /usr/sbin/env-update
        \ this is optional(added by me), whatever it does(it regenerates /etc/profile.env from /etc/profile.d/*  and regens /etc/ld.so.cache), it doesn't change /etc/profile itself, but this would affect /etc/profile sourcing(which uses profile.env), nothing is changed from the default profile.env as I can tell.
      - source ~/.bashrc
        \ only makes sense if you're not doing this in a new installation ie. if you're rescuing
        \ nevermind, bash -l does this indirectly(by having .bash_profile source .bashrc)
      - export PS1="(chroot1) $PS1"
        \ #SECONDBOOT that's all, unneeded:+ do this: vim /etc/mtab and :%s/mnt\/gentoo//g  then :%s/\/\//\//g  then remove any lines with mnt(should be 4 lines) then remove the first line(rootfs ) and what's now the 5th line(tmpfs / tmpfs) and finally remove the last four lines (proc, /sys, /dev, /run) and jump to grub below (shift+8 on #GRUBY)
    * get portage
      * download but fail to gpg check:
        * time emerge-webrsync -v -k
          \ 1m15.481s
          \ //2min2sec
          \ 62MB
          \ this supposedly checks gpg key, but wait there's no gpg inside chroot yet
          \ emerge-webrsync: error: cannot check signature: gpg binary not found
          \ can't run this now:
          \ emerge --ask app-crypt/gnupg
        - getting some retarded output(with admincd of 9 july 2015): ok this was because I was missing a closing quote from a previous parameter(PORT_LOGDIR)!!!
          \ "/etc/portage/make.conf", line 25: Invalid token 'mmx' (not '=')
          \ !!! Section 'x-portage' in repos.conf has location attribute set to nonexistent directory: '/usr/portage'
          \ !!! Section 'gentoo' in repos.conf has location attribute set to nonexistent directory: '/usr/portage'
          \ !!! Invalid Repository Location (not a dir): '/usr/portage'
          \ "/etc/portage/make.conf", line 25: Invalid token 'mmx' (not '=')
          \ ok apparently that /usr/portage dir was made after this, and not err next time;
      - (nolonger in effect)manually check sig from outside chroot
        * switch to another terminal or start a new ssh session to have access to the gpg command, and run this outside chroot:
          \ or exit chroot, checksig and enter chroot back again.
          * gpg --verbose --homedir /mnt/gentoo/etc/portage/gpg --verify /mnt/gentoo/usr/portage/distfiles/portage-201*.tar.xz.gpgsig /mnt/gentoo/usr/portage/distfiles/portage-201*.tar.xz
            \ new:
            \ Version: GnuPG v2
            \ gpg: armor header: 
            \ gpg: Signature made Tue Feb 10 00:55:53 2015 UTC using RSA key ID C9189250
            \ gpg: using subkey C9189250 instead of primary key 96D8BF6D
            \ gpg: using PGP trust model
            \ gpg: Good signature from "Gentoo Portage Snapshot Signing Key (Automated Signing Key)" [ultimate]
            \ gpg: binary signature, digest algorithm SHA1
            \ old:
            \ gpg: Signature made Thu Jan  8 00:55:21 2015 UTC using RSA key ID C9189250
            \ gpg: Good signature from "Gentoo Portage Snapshot Signing Key (Automated Signing Key)" [unknown]
            \ gpg: WARNING: This key is not certified with a trusted signature!
            \ gpg:          There is no indication that the signature belongs to the owner.
            \ Primary key fingerprint: DCD0 5B71 EAB9 4199 527F  44AC DB6B 8C1F 96D8 BF6D
            \      Subkey fingerprint: E1D6 ABB6 3BFC FB4B A02F  DF1C EC59 0EEA C918 9250
      - switch back to the chroot-ed terminal
      - temporarily remove webrsync-gpg from make.conf
        * nano -w /etc/portage/make.conf  (you nolonger have vim here, because chroot-ed!)
          \ Note: there is no vim inside chroot, even though admincd has it(outside of chroot)
          \ Ctrl+W webrsync, to position yourself on it and put a - in front of it
          \ ^ that edited the FEATURES line to NOT have webrsync-gpg or just put a - in front of it(better!)
          \ Ctrl+X, y, Enter
      - rerun:
        * time emerge-webrsync -v -k
          \ 1m41s
      - put back webrsync-gpg from make.conf
        \ nano -w /etc/portage/make.conf
        \ edit the FEATURES line to have webrsync-gpg (Ctrl+W to search)
    - fix re-reporting of warnings inside QA Notice block (apparently this got fixed by adding an "| uniq" at the end)
      \ https://bugs.gentoo.org/show_bug.cgi?id=539848
      * nano -w /usr/lib/portage/python2.7/install-qa-check.d/90gcc-warnings
        \ Alt+G, 85
        \ comment out this line(using # ):
        \ f=$(LC_CTYPE=C LC_COLLATE=C "${grep_cmd}" -E "${joined_msgs}" "${PORTAGE_LOG_FILE}")
        \ add this line(indented properly, although not required 'cause this isn't python!):
        \ f=$(LC_CTYPE=C LC_COLLATE=C "${grep_cmd}" --invert-match -E $'^( \x1b\[33;01m\*\x1b\[0m |\x1b\[31;01m \* \x1b\[39;49;00m)' "${PORTAGE_LOG_FILE}" | LC_CTYPE=C LC_COLLATE=C "${grep_cmd}" -E "${joined_msgs}")
      * do same for 3.3 file
        * nano -w /usr/lib/portage/python3.3/install-qa-check.d/90gcc-warnings
    * select profile
      \ nothing to do here but look, otherwise u'd need a different stage3 now wouldn't you?!
      * eselect profile list
        \ //already selected:
        \ //  [11]  default/linux/amd64/13.0/no-multilib *
        \ //yes, this is bad!! it's normal gentoo no-multilib!
        \ //because of rsync-ed content!
        \ //make sure you select that hardened no-multilib:
        \ //  [16]  hardened/linux/amd64/no-multilib
        \ new rsync content, already selected:
        \   [16]  hardened/linux/amd64/no-multilib *
        * eselect profile 16
        * eselect profile list
          \ to be sure
    * configure locales
      \ sys-libs/glibc-2.19-r1 (/etc/locale.gen)
      \ XXX: Do I need to hold off on any emerge --ask  invocations until after I've set up locale ? - probably
      - (already done by rsync) nano -w /etc/locale.gen
        \ XXX: this doesn't exist in uclibc version!
        \ uncomment the first two
        \ en_US ISO-8859-1
        \ en_US.UTF-8 UTF-8
      * run: locale-gen
        \ XXX: this doesn't exist in uclibc-hardened version?!
        \ takes under 10sec
      * locale -a
        \ to verify.
        \ XXX: this doesn't exist in uclibc version?!
      * set the system-wide locale settings
        * eselect locale list
        * select the C one:
          \   [1]   C *
          * eselect locale set 1
            \ already selected by rsync
        - Select the en_US.utf8 one:
          * eselect locale set 5
      * env-update && source /etc/profile && source ~/.bash_profile
      - Ctrl+R, PS1
        \ export PS1="(chroot1) $PS1"
    * timezone
      - (rsyncdone) ls /usr/share/zoneinfo/
        \ FIXME: this doesn't exist in uclibchardened version?!
        \ sys-libs/timezone-data-2014i-r1 (/usr/share/zoneinfo)
      - (rsyncdone) echo "Europe/Brussels" > /etc/timezone
      * time emerge --config sys-libs/timezone-data
        \ this needs fakeroot - NO it doesn't, but you still get the warning:
        \ !!! FEATURES=fakeroot is enabled, but the fakeroot binary is not installed.
        \ 0m2.775s
        \ I just did this anyway
    * time emerge -nav app-portage/cpuinfo2cpuflags
      \ ran: cpuinfo2cpuflags-x86
      \ refreshed the above CPU_FLAGS and USE flags, so this doesn't have to be run again!
      \ don't emerge -1  because we do want to have this in favs to get updated just in case new things may get detected who knows...
      \ duration: 0m50.542s
      * cpuinfo2cpuflags-x86
        \ CPU_FLAGS_X86: 3dnow 3dnowext mmx mmxext popcnt sse sse2 sse3 sse4a
        \ updated above make.conf and thus rsync will do this in the future!
    * get a newer portage (if any)
      \ TODO: do I need the unstable one? currently going with stable one!
      * time emerge -avu \>=portage-2.2
        \ does nothing because 2.2.22(unstable!) already installed and latest (stable one?) took 1m31s though
        \ say no to add to favorites hmmm, i added -1 arg so nvm.
        \ NOTE XXX: patches in /etc/portage/patches/ silently ignored when using symlinks to any folder within /root (but not for /home(or /home/user) due to o-rx for /root and o+rx for the /home and /home/user) and userpriv in FEATURES because folder is inaccessible by portage:portage
        \ https://wiki.gentoo.org/index.php?title=%2Fetc%2Fportage%2Fpatches&diff=265028&oldid=200410
        * TODO: add portage patches that I manually edited in with nano above (and who knows what others i forget about at this moment)
    - (already have it installed! customiso)install ccache   [yes, before fakeroot]
      \ docsrc: https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Caching_compilation_objects
      * time emerge -av \>=ccache-3.2.2
        \ 37s
        \ for future reference, to read: /usr/share/doc/ccache-3.2.2/README.gentoo
      - (rsynced) CCACHE_DIR="/ccache" ccache -M 26G
        \ unsure if this is needed although after emerging it, it says that we should do it.
        \ I do it because it creates the dir
      * nano -w /etc/portage/make.conf
        \ change -ccache into ccache
      - when want to use ccache for non-portage compilations:
        * nano -w ~/.bashrc
          \ export PATH="/usr/lib/ccache/bin:${PATH}:~/bin"
        * source /etc/profile ; source ~/.bashrc
        * Ctrl+R, PS1
        \ export PS1="(chroot1) $PS1"
      * to watch ccache in another (chrooted) terminal
        \ CCACHE_DIR="/ccache" watch -n1 -d -- ccache -s
        \ or /var/tmp/ccache  if you left it there...(see make.conf setting)
        \ XXX: chrooted because ccache command is not available on live cd(admin cd currently; but neither install-cd has it)
        \ to chroot:
        \ chroot /mnt/gentoo /bin/bash --login
        \ //export PS1="(chroot2) $PS1"
    - (rsynced)this adds /root/bin to path (and later for /home/zazdxscf/bin)
      * nano -w ~/.bashrc
       \ export PATH="${PATH}:~/bin"
      * mkdir ~/bin
        \ will add some scripts later, like dpaste for example.
    - (already have it now)time emerge --ask --verbose sys-apps/fakeroot
      \ fakeroot 1.20 (1m21s with ccache on normal; 5min45s without ccache on hardened)
      \ fakeroot in FEATURES requires fakeroot(8)
      \ in effect only when building as non-root user
      \ TODO: move this for after system is installed!
      \ will get this warning running emerge, until fakeroot is installed:
      \ !!! FEATURES=fakeroot is enabled, but the fakeroot binary is not installed.
    - (already have it now)debugedit for FEATURES=installsources to work
      * time emerge -nav debugedit
        \ 6m38s
    - (no need anymore due to above)reinstall fakeroot to get its sources(since we have debugedit now)
      * time emerge -av sys-apps/fakeroot debugedit dev-libs/icu dev-libs/beecrypt
        \ yep also install debugedit and its deps
        \ about 5mins 15sec
    - install mosh to "replace" ssh (7m48s) - NOPE, maybe some other time
      \ connecting to remote(this VM) remote host only needs running ssh, mosh package installed, and utf8 locale set.  then connect to it via: $ mosh root@10.0.2.15 - the IP used above when set up networking
      * time emerge --ask -v net-misc/mosh
        - requires utf8 locales set to run. (already have them in hardened-nomultilib)
          \ echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
          \ locale-gen
          \ eselect locale set en_US.utf8
      * FIXME: port forward 60001 in VM
      * connect from host to guest(this VM)
        * mosh --ssh="ssh -p 8822" -- root@127.0.0.19
        - mosh doesn't work with port-forwarding!
          * tried:
            * put this file in /root/
              * vim ~/moshify
                \ #!/bin/bash
                \ echo "initial: $@"
                \ #remove second 'new' and '-s'
                \ set -- "`sed -re 's|^(.*)(new )+(.*)(new )+(.*)$|\1\2\3\5|' -e 's|^(.*)( -s)+(.*)$|\1\3|' <<< "$@" `"
                \ echo "after  : $@"
                \ mosh-server $@
              * chmod +x ~/moshify
            * try to connect:
              * mosh --server="./moshify new -i 127.0.0.19" --ssh="ssh -p 8822" -- root@127.0.0.19
                \ where 127.0.0.19 is the locally forwarded port on host, which forwards to the VM port 22 of ssh which has IP 10.0.2.15
                \ the local mosh-server listens inside the VM on 127.0.0.19 port 60001
                \ changing to 127.0.0.1 still fails
                \ changing to 10.0.2.15 still fails (yes in --server I mean)
                * it fails with:
                  \ mosh: Nothing received from server on UDP port 60001. [To quit: Ctrl-^ .]       
                * so why does this fail?! don't tell me I need to port forward 60001 on host too grr - well ofc I do, pf 60001 worked! and the --server isn't needed anymore
    - install tmux (2min12s)
      \ https://wiki.gentoo.org/wiki/Tmux
      \ TODO: check vim-syntax USE flag, for now know that it pull X libs and vim
      * time emerge --ask -v app-misc/tmux
    - (already have it) the btrfs command (equery b btrfs shows which pkg) (3m1s)
      * time emerge -nav sys-fs/btrfs-progs
        \ 4m23s
    * install pfl
      \ https://wiki.gentoo.org/wiki/Pfl
      * time emerge -nav pfl
        \ //3m38s
        \ less than 1 min (time wasted in ask dialog)
        \ use e-file texthere   to find something in any package(even if not already installed)
        \ e-file cmdhere  instead of  equery b cmdhere  to find out which (non-installed!) package provides the command
    - (already have it; customiso)install equery (38s)
      \ https://wiki.gentoo.org/wiki/Equery
      \ needed to run: revdep-rebuild or its replacement time emerge @preserved-rebuild
      * time emerge -nav gentoolkit
        \ 7m53s
        \ this installs latest python (3.4, from 3.3) and rebuilds portage too!
      * examples:
        * equery b vim
          \ to find packages which provide vim command
          \ but vim is not installed so vim command doesn't exist at this moment so this will fail, use e-file vim  instead! (aka pfl package's e-file)
        * equery files alsa-lib | less
          \ to list all installed files of a package
    * set hostname (needed for nullmailer config; nullmailer gets installed with sudo)
      * vim /etc/conf.d/hostname
        \ ie. tux
        \ this file was rsync-ed
      * hostname tux
      * env-update && source /etc/profile && source ~/.bash_profile
      * vim /etc/hosts   APPEND these NEW lines:
        \ # This defines the current system and must be set
        \ #127.0.0.1     tux.homenetwork tux localhost
        \ looks like this is already set to localhost, so append the following lines:
        \ 127.0.0.1 localhost tux
        \ #^ replace that one with this,  or comment out existing one.
        \ ::1 localhost tux
        \ #^ you must have this ipv6 stuff(even if USE=-ipv6) because `hostname -f` will otherwise ask the dns server everytime you execute hostname -f or eg. startx, mc !!! XXX: looks like even lacking this entire line doesn't cause that request to happen anymore!! but see what this comment says with wireshark: https://fedorahosted.org/sssd/ticket/922#comment:4
        \ "Disabling IPv6 does not disable AAAA queries. The use of AF_UNSPEC unconditionally enables the dual query." src: http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/
    * get a syslogger (before installing sudo, or else sudo pulls metalog!)
      * time emerge -n --ask --verbose app-admin/metalog
        \ 2m43.779s
      * rc-update add metalog default
        \ FIXME: shouldn't this be added to boot? or does boot not have mounted the fs yet?
        \ this was already added (likely due to rsync)
    * time emerge -nav app-admin/sudo
      \ 4 packages (installs metalog(if not already installed) and nullmailer too)
      \ 4m24.302s
      \ //11 packages
      \ //25m26s
      \ //at least 28 mins (failed on gnutls due to -DDEBUG in CFLAGS!!! confirmed to be so, in hardened!)
      \ //14mins after the above fail(then fixed then reran the emerge, but ccache had them so far)
      \ this also gets metalog and other stuff
      * this installed nullmailer too, and you should do as they say:
        * emerge --config =mail-mta/nullmailer-1.13-r5
          \ aka create an initial setup
          \ getting this error twice: hostname: No address associated with name
          \ //it's fixed(no error):(should be fixed) unsure how to fix yet, maybe just need to set hostname first?
      - (rsynced) nano -w /etc/sudoers.d/wheel
        \ %wheel ALL=(ALL) ALL
        \ now all users in group wheel can sudo (with their own password)
    - add reboot/shutdown users (forget this!)
      \ for easy reboots
      * useradd -M -s /sbin/reboot --home /sbin -- reboot
      * passwd reboot
      \ can't login, because /sbin/reboot is not in /etc/shells
      \ XXX: now I can login, but won't allow me to reboot 'cause I'm not root, so forget it; definitely don't wanna add suid attribute!
      \ shutdown user already exists id=6 (but not the group)
      * vim /etc/shells
        \ append this line:
        \ /sbin/reboot
    * save nano in favs so it won't be removed by emerge --depclean
      \ emerge --noreplace app-editors/nano
    * check /etc/fstab for any fixes
      * see if swap is added (if not rsync-ed already)
        \ done, added now
    - (already in rsync) fstab fixture
      * vim /etc/fstab
        \ just edit the template and add some stuff
        \ XXX: do not use discard in fstab or mount(or tunee2fs) because deleting a ton of files is expensive! use fstrim instead!! (also don't use fstrim for now, because vm is set to not support TRIM currently by having discard="false" or just not having discard="true" in .vbox file! did it so that it won't shrink the .vdi file because that costs writes on my host's SSD aka the real SSD)
        \ XXX: for btrfs fs_passno(last field) should be 0
        \ looks like this:
        \ #XXX: removed autodefrag which was meant for HDDs not for SSDs! without it, it should avoid some unnecessary writes.
        \ #for normal gentoo#/dev/sda2               /               btrfs           async,relatime,noauto,rw,suid,dev,exec,nouser,loud,ssd,compress=lzo,datasum,datacow,space_cache,commit=300         0 2
        \ #for luks:
        \ /dev/mapper/luks_on_sda2_boot               /bewt           btrfs            async,relatime,noauto,rw,nosuid,nodev,noexec,nouser,loud,ssd,compress=lzo,datasum,datacow,space_cache,commit=300  0 2
        \ /dev/vgall/rootlvol               /               btrfs           async,relatime,noauto,rw,suid,dev,exec,nouser,loud,ssd,compress=lzo,datasum,datacow,space_cache,commit=300 0 1
        \ # XXX: do not add errors=remount-ro  because btrfs says: unrecognized mount option
        \ #/dev/SWAP              none            swap            sw              0 0
        \ /dev/cdrom              /mnt/cdrom      auto            noauto,ro       0 0
        \ /dev/fd0                /mnt/floppy     auto            noauto          0 0
        \ tmpfs                   /tmp            tmpfs           rw,nosuid,relatime,nodev,size=90%,mode=1777 0 0
        \ tmpfs                   /var/tmp        tmpfs rw,nosuid,relatime,nodev,size=90%,mode=1777 0 0
        \ tmpfs                   /var/tmp/portage        tmpfs   rw,nosuid,relatime,nodev,size=90%,mode=775,uid=portage,gid=portage,x-mount.mkdir=775 0 0
      - make sure /var/tmp/portage gets mounted on startup!
        \ not needed anymore due to x-mount.mkdir  (see man 8 mount)
        * vim /etc/local.d/portagemount.start
          \ mkdir /var/tmp/portage
          \ mount /var/tmp/portage
        * chmod +x /etc/local.d/portagemount.start 
        - already added
          \ rc-update add local default
    * Kernel (part 1)
      \ https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Kernel
      * time emerge -nav sys-kernel/git-sources
        \ FIXME: postponed, due to one of my patches being outdated
        \ //4.2-rc3 currently, duration: 5m49s
        \ user patches are already in (rscyn-ed above)
        \ this works with ccache, no PIC error (I mean later when compiling it with genkernel!!)
        \ license: freedist   (use dispatch-conf to apply it)
      * time emerge -nav hardened-sources
        \ that's 4.1.6 at the moment
        \ wants license: freedist   (use dispatch-conf to apply it)
        \ //5m8s
        \ 4m35.385s
        * eselect kernel list
        * eselect kernel set 1
        * eselect kernel list
    * replace udev with eudev (need to do this after we get kernel sources)
      \ do we need this?
      \ done: I should install this after getting kernel sources!! and after compiling kernel; because: "Unable to find kernel sources at /usr/src/linux"
      * time emerge -av '>=sys-fs/eudev-3.1.2'
        \ //3m19s
        \ sys-fs/eudev-3.1.2-r10
        \ 2m53.846s
        \ url to read: http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames
      - /etc/init.d/udev --nodeps restart
        \ unsure if this is needed at this time, or only when running the system normally (not from within chroot)
      - a test will fail https://github.com/gentoo/eudev/issues/101
        * rebuild with keeping working folder via:
          \ ebuild /usr/portage/sys-fs/eudev/eudev-2.1.1.ebuild merge
          \ it will only execute the steps it didn't already, so from test onwards (supposedly)
      - run this inside non-chrooted vm:  (i don't think it's needed tho hmm, but I did it anyway)
        \ /etc/init.d/udev --nodeps restart
        \ yeah this doesn't make sense because eudev binary is only inside chroot anyway!
    * Kernel (part 2)
      \ https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Kernel
      * time emerge -nav '>=sys-apps/gradm-3.1'
        \ that's unstable, so use dispatch-config, u, rerun above
        \ //38sec
        \ 0m36.874s sys-apps/gradm-3.1.201507191652
      * time emerge -nav sys-apps/paxctl app-misc/pax-utils app-admin/paxtest
        \ get these other "needed" stuffs for grsecurity
        \ //29s
        \ time paxtest blackhat
        \ //5m16s (without grsecurity enabled)
        \ installs only paxtest currently(customiso)
        \ 0m36.251s
      * compile
        * genkernel (because VM)
          * time emerge -n --ask --verbose '>=sys-kernel/genkernel-3.4.51.2'
            \ //9 packages
            \ //27m46s
            \ (Fixed by eselect kernel above): lvm2 and cryptsetup require a kernel in /usr/src/linux/ but supposedly this isn't bad! they just want to get the kernel version!
            - (doesn't apply anymore)lvm2
              \ since it got installed by emerge genkernel above...
              * dispatch-conf (zap new!, because it wants to restore the defaults!)
              * rc-update add lvm boot
                \ it was NOT already there!
                \ seen with: rc-status boot
            - (doesn't apply anymore)cryptsetup (nothing to do here, go to next step)
              * TODO: see this example for luks mountpoint configuration: /etc/conf.d/dmcrypt
                \ TODO: add the /bewt here so we can mount it (aka luksOpen) faster than having to specify
                \ also use crypt_root=/dev/blah instead of real_root=luks:/dev/blah.
          * XXX: /bewt must be already mounted at this point!!
            \ df /bewt
            \ should show size 4.0G total, if it's mounted
          - (already done) eselect kernel list
            \  [1]   linux-4.2-rc4 *
            \ ^ that's the only one in list at this point
          - (can't be installed at same time) radeon needs its firmware
            \ ie. not for virtualbox!!
            * time emerge -nav x11-drivers/radeon-ucode
              \ 32s
              \ this gives that radeon/R700_rlc.bin which dmesg reports failed with error -2  by placing it in /lib/firmware/radeon/R700_rlc.bin  after installing that package!
            * TODO/FIXME: https://wiki.gentoo.org/wiki/Radeon#Firmware  to see how to remove all other unneeded firmwares!
          - source /etc/profile
            \ to get rid of PATH from ~/.bashrc pointing at ccache's bin and thus no PIC error (i don't have ccache's bin in my PATH anymore)
          * linux firmware (radeon and amd cpu microcode is here) - this isn't needed for a virtualbox installation
            \ https://wiki.gentoo.org/wiki/AMD_microcode
            * time emerge -nav sys-kernel/linux-firmware
              \ //1m14s
              \ already have it
              \ not bothering to edit that "config"
          * cp /usr/src/.config /usr/src/linux/
            \ that's from rsync
            \ already had one in for my current kernel version (linux-4.1.7-hardened-r1)
          * cd /usr/src/linux && make nconfig
            \ if needed
          * time genkernel all --bootdir="/bewt" --install --symlink --no-splash --no-mountboot --makeopts="-j4 V=0" --no-keymap --lvm  --no-mdadm --no-dmraid --no-zfs --no-multipath --no-iscsi --disklabel --luks --no-gpg --no-netboot --no-unionfs  --no-firmware --no-integrated-initramfs --compress-initramfs --compress-initrd --compress-initramfs-type=best --loglevel=5 --color --no-mrproper --no-clean --no-postclear --oldconfig
            \ 18m32.303s until fail to mknod(fixed by sysctl, with grsec)
            \ + extra 2m25.472s after fix.
            \ this is why it needs to mknod:
            \ [11227.213313] grsec: denied mknod of /mnt/gentoo/var/tmp/genkernel/6318.774.12810.22538/initramfs-base-temp/dev/console from chroot by /mnt/gentoo/bin/mknod[mknod:5851] uid/euid:0/0 gid/egid:0/0, parent /mnt/gentoo/usr/bin/genkernel[genkernel:22538] uid/euid:0/0 gid/egid:0/0
            \ .
            \ removed --menuconfig because make nconfig is better!
            \ looks like genkernel knows to not use ccache ! at least when on hardened now. (and I checked there are no -ccache or so, options in /etc/portage/)
            \ //22m47s (another compilation was happening in the background though: vim)
            \ WARNING: after successfuly running genkernel, you have to re-run grub2-mkconfig (which we do later if you follow this guide thingy) ! (booting the previous kernel still works though, because grub.cfg isn't changed and all previous kernel files are kept in /bewt and are available in a grub submenu called Advanced at boot!)
            \ # --no-postclear won't delete the busybox and lvm2 that were just built every time genkernel is ran.
            \ Once genkernel completes, a kernel, full set of modules and initial ram disk (initramfs) will be created.
            \ # XXX: always use --kernname=genkernel (or don't specify this option, to get it as default!) otherwise grub2-mkconfig via /etc/grub.d/10_linux will not find the initramfs image due to hardcoded stuff. FIXME patch it? But don't use --bootloader=grub
            \ #XXX: note that --bootloader=grub  uses grub.conf instead of the new name(as per `info grub`) of grub.cfg !! ergo it will fail
            \ # --oldconfig implies --no-clean which in turn implies --no-mrproper; it's also OLDCONFIG="yes" by default in /etc/genkernel.conf ; also this implies (they say in that .conf comments) that if clean is NO, it won't copy over any configuration file(from /etc/kernels/), it will use what's there(the .config) instead. But I dno how true that is because I'm seeing this message: * Linux Kernel 3.17.7-gentoo for x86_64...              * .. with config file /etc/kernels/kernel-config-x86_64-3.17.7-gentoo
            * reminder of steps after boot needed to regen kernel: #SECONDBOOT
              * luksOpen the sda2 luks device
              * mount /bewt
              * cd /usr/src/linux && make nconfig
                * change stuff
                * exit and save
              * genkernel (without any clean or mrproper options!!  --no-clean  and --no-mrproper yes!)
              * rerun grub2-mkconfig command
              * recompile modules search for: @module-rebuild
              * umount /bewt
              * luksClose
              * ready to: reboot & exit
            - while in MENUCONFIG:
            * disable radeon framebuffer support (untested yet, either way, in X)
              \ x11-drivers/xf86-video-ati-7.5.0 says:
              \  CONFIG_FB_RADEON:   should not be set. But it is.
            - (rsynced) keep CONFIG_DEBUG_NMI_SELFTEST disabled to avoid boot-time kernel panics due to mouse movements (key presses).
            - (rsynced)to get audio aka sound inside virtualbox (in X via pavucontrol let's say)
              * SND_INTEL8X0 which is in -> Device Drivers  -> Sound card support (SOUND [=m]) -> Advanced Linux Sound Architecture (SND [=m]) -> PCI sound devices (SND_PCI [=y]) -> [m] Intel/SiS/nVidia/AMD/ALi AC97 Controller
                \ and this gets selected automatically(? apparently): SND_AC97_CODEC [=m]  and also AC97_BUS [=m] 
            - (rsynced) chromium needs the following kernel options(or else sandbox won't work, they say):
              \ CONFIG_USER_NS which recommends CONFIG_MEMCG and CONFIG_MEMCG_KMEM
              \ also SECCOMP_FILTER which needs SECCOMP
              \ SECCOMP = Enable seccomp to safely compute untrusted bytecode, in -> Processor type and features
              \ recompile kernel(21m48s by adding CONFIG_USER_NS, the other two were set already)... and then recompile chromium
            - (rsynced) ensure CONFIG_AUDITSYSCALL is set for sys-auth/consolekit-0.4.6 complains about it.
              \ this needs CONFIG_AUDIT first, in -> General setup -> [*] Auditing support
              \ then in same place is our CONFIG_AUDITSYSCALL right after it. aka [*] Enable system-call auditing support
              \ TODO: maybe this isn't really needed at all? I mean, it works fine on my host which is using same kernel .config
            - (already)CONFIG_DEBUG_FS
              \ to have access to radeon temperatures in /sys/kernel/debug/dri/1/radeon_pm_info
              * Kernel hacking -> Compile-time checks and compiler options -> Debug Filesystem
                \ select it [*]
            - (rsynced)don't forget the network driver Intel PRO/100 (which isn't selected due to rsync); it's in Device Drivers->Networking->Ethernet devices (or something like that)
            - (rsynced) usb keyboard detection at the luks prompt (or else you have no keyboard, unless you plug a PS2 one):
              * Device Drivers -> USB support  ---> {*} Support for Host-side USB
                \ make it Y not M
              * Device Drivers -> HID support  ---> USB HID support  ---> <*> USB HID transport layer
                \ make it Y now, not M
              * Device Drivers -> USB support  ---> <*>     EHCI HCD (USB 2.0) support
                \ make it Y not M!
              * Device Drivers -> USB support  ---> <*>     OHCI HCD (USB 1.1) support
                \ make it Y not M!
              * with just the above 4, usb keyboard is still dead at luks prompt, works afterwards though
              * make this happen, in Device Drivers -> USB support  --->
                \ {*}     Generic EHCI driver for a platform device
                \ <*>       OHCI support for PCI-bus USB controllers
                \ {*}       Generic OHCI driver for a platform device
                \ <*>     UHCI HCD (most Intel and VIA) support
              * now the usb keyboard should work at luks prompt before mounting
            -(rsync) for radeon driver to work in kernel: (not for virtualbox)
              \ aka for KMS to work; also this in dmesg [drm:rv770_init] *ERROR* Failed to load firmware!
              - (rsync)this is already selected:
                \ Device Drivers  --->
                \   Generic Driver Options  --->
                \     [*]   Include in-kernel firmware blobs in kernel binary 
              - (rsync) set the firmware .bin to:
                * ()    External firmware blobs to build into the kernel binary
                  \ radeon/R700_rlc.bin radeon/RV770_smc.bin radeon/RV770_uvd.bin
                  \ XXX: apparently these should be SUMO not R700 and stuff. Yup, R700 stuff is for my former desktop PC.
                  \ if u have different card, then more/different firmware files to add ^ above, see: https://wiki.gentoo.org/wiki/Radeon#Firmware
                  * a new item appears:
                    * (firmware) Firmware blobs root directory (NEW) 
                      \ set it to this:
                      \ /lib/firmware/
                      \ it's where x11-drivers/radeon-ucode package put all the .bin firmwares.
              * build these as Y not M (not modules!)
                * Device Drivers  ---> Graphics support  ---> 
                  * Direct Rendering Manager  ---> 
                    \ can deselect all others in this screen
                    * <*> Direct Rendering Manager (XFree86 4.1.0 and higher DRI support)
                    * <*> ATI Radeon
                  * Frame buffer Devices  ---> 
                    * -*- Support for frame buffer devices  --->
                    * <*> ATI Radeon display support 
                      \ this might not be needed at all!! according to wiki: it is deselected!
                    * [*]   DDC/I2C for ATI Radeon support
                    * [*]   Support for backlight control
                    * [*]   Lots of debug output from Radeon driver
                    * these were preselected
                      \ can remove all others
                      * [*] VESA VGA graphics support
                      * [*] EFI-based Framebuffer Support
                        \ this one doesn't seem to exist anymore, in 4.2.0-rc3
                  * Console display driver support  ---> 
                    * [*]   Enable Scrollback Buffer in System RAM
                    * (4096)  Scrollback Buffer Size (in KB)
            - (rsync)disable user firmware loader, by doing the following:
              \ why disable? https://wiki.gentoo.org/wiki/Udev/upgrade#udev_216_to_217
              * disable CONFIG_DELL_RBU which disables CONFIG_FW_LOADER_USER_HELPER  (well I mean it doesn't force select it automatically, when disabled)
                \ Firmware Drivers  ---> BIOS update support for DELL systems via sysfs
            - (rsynced) disable CONFIG_CC_STACKPROTECTOR_STRONG in -> General setup -> Stack Protector buffer overflow detection -> Regular
              \ Makefile:654: Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: -fstack-protector-strong not supported by compiler
              \ due to x86_64-pc-linux-gnu-4.8.4
              \ Makefile:734: Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: -fstack-protector-strong not supported by compiler
              \ using  [1] x86_64-pc-linux-gnu-4.8.4 *
            - (rsynced): (must do, not in rsync currently) don't forget to enable BTRFS in kernel (not as module, to be sure) - it's in Filesystems->BTRFS enable all suboptions.
            - (in rsync)xfce-extra/xfce4-power-manager-1.3.0 needs kernel option CONFIG_TIMER_STATS to be set: *   CONFIG_TIMER_STATS:  is not set when it should be.
              \ Kernel hacking  ---> Collect kernel timers statistics
            - Exit menu and Save, compiling will commence automatically!
              \ this when using --menuconfig
            * NOTE: this will not boot as is now, it needs executing grub2-mkconfig which we do later on in the bootloader section below... patience grasshopper.
        * TODO(ignore this section for now): manually (if you didn't do genkernel above) TODO: incomplete and outdated!
          * initramfs - dracut
            * /etc/dracut.conf.d/my.conf
              \ dracutmodules+="btrfs caps rootfs-block crypt dm crypt-gpg lvm i18n kernel-modules terminfo udev-rules usrmount base fs-lib shutdown biosdevname caps"
              \ #fstab-sys
              \ #crypt depends on dm, requires sys-fs/cryptsetup
              \ #crypt-gpg depends on crypt, requires app-crypt/gnupg
              \ #biosdevname requires sys-apps/biosdevname
              \ #btrfs requires sys-fs/btrfs-progs
              \ omit_dracutmodules+="rpmversion convertfs resume securityfs img-lib dmraid dmsquash-live gensplash iscsi livenet mdraid multipath nbd nfs plymouth ssh-client syslog debug ifcfg network selinux url-lib dash"
              \ hostonly="yes"
            * run:
              \ dracut
          - kernel modules (probably needed when using dracut?)
            \ unsure if this is needed - apparently it's not (genkernel does this automatically)
            \ https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Kernel#Kernel_modules
    * System
      \ https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/System
      * network
        * time emerge -nav sys-apps/biosdevname
          \ //1m10s
          \ already have(customiso)
        * for extra options(like setting domain name to homenetwork) if needed, see:
          \ https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/System#Host_and_domain_information
        * emerge --ask --noreplace net-misc/netifrc
          \ this adds it to favs.
        * vim /etc/conf.d/net
          \ new file! (only on gentoo's admincd.iso ! not on my customiso)
          - dhcp  (needs only p2p1, XXX: apparently now it's enp0s3)
            \ #config_eth0="dhcp"
            \ config_enp0s3="dhcp"
            \ #config_p2p1="dhcp"
          * if static IP
            \ use different IP name here than what you used on liveCD, so that you don't have to edit out the ~/.ssh/known_hosts line due to different fingerprint when ssh-ing later on
            \ The /etc/conf.d/net file does not exist by default, so needs to be created.
            \ #config_eth0="192.168.0.2 netmask 255.255.255.0 brd 192.168.0.255"
            \ #routes_eth0="default via 192.168.0.1"
            \ #config_enp0s3="192.168.0.2 netmask 255.255.255.0 brd 192.168.0.255"
            \ #routes_enp0s3="default via 192.168.0.1"
            \ #config_p2p1="192.168.0.2 netmask 255.255.255.0 brd 192.168.0.255"
            \ #routes_p2p1="default via 192.168.0.1"
            \ config_p4p1="192.168.0.2 netmask 255.255.255.0 brd 192.168.0.255"
            \ routes_p4p1="default via 192.168.0.1"
            \ #p4p1 is the one on my Z575 laptop
            \ #turns out these enp2s0 and enp3s0 cards in my desktopPC(not virtualbox!) don't get transformed into p2p1 -like bios names!
        * cd /etc/init.d
        * warning: already rsync-ed the below! but may need to remove some extra interfaces!
        - // ln -s net.lo net.eth0
          \ in case the below 2 fail (they did with hardened uclibc)
        * ln -s net.lo net.enp0s3
        - ln -s net.lo net.p2p1
        - //rc-update add net.eth0 default
        * rc-update add net.enp0s3 default
        - rc-update add net.p2p1 default
          \ XXX: this p2p1 appears instead of enp0s3 due to sys-apps/biosdevname being installed !
        * remove any useless ones!
          * by rc-update del 
            * rc-update del net.enp0s3 default
            * rc-update del net.eth0 default
            * rc-update del net.p2p1 default
          * by rm-ing their symlink! from /etc/init.d/
          * rc-status
            \ now doesn't show the rm-ed ones
            \ BUT they are still there! so rc-update del them before rm-ing their symlinks, or, delete them from /etc/runlevels/default/
      * set root password (inside chroot) - don't skip this
        \ passwd
      * init and boot config
        - (rsynced) nano /etc/rc.conf
          \ modify/uncomment:
          \ rc_start_wait=100
          \ #UNICODE="NO" #looks like it's lowercase by default:
          \ unicode="NO"
        - vim /etc/conf.d/keymaps
          \ nothing to change
        - vim /etc/conf.d/hwclock
          \ clock="UTC"  (already set)
        - (already, in customiso) rc-update add gpm default
          \ ensure gpm starts everytime on startup
      * installing tools
        - (already) lsof
          * time emerge -nav sys-process/lsof
            \ 34s
        * get a cron
          * time emerge -nav sys-process/cronie
            \ //1m11s
            \ TODO: read how to use it http://www.gentoo.org/doc/en/cron-guide.xml
            \ 1m7s
          * rc-update add cronie default
            \ already
        * rc-update add sshd default
          \ to be able to ssh after reboot
          \ already
        * delete some systemd leftover files from stage3
          * rm -vrf /usr/lib{,64}/systemd /usr/lib64/debug/lib/systemd /usr/lib64/portage/python{2.7,3.3}/install-qa-check.d/*systemd /lib64/netifrc/sh/systemd-wrapper.sh
            \ there were two(customiso):
            \ removed '/usr/lib64/portage/python2.7/install-qa-check.d/60systemd'
            \ removed '/lib64/netifrc/sh/systemd-wrapper.sh'
      * bootloader
        -(rsynced) set accept flags (apparently this is needed to get the git package aka 9999 , and that ~amd64 thing in make.conf is unstable but not as unstable as the git version)
          - mkdir -p /etc/portage/package.accept_keywords
            \ ok well the file with this name already exists(due to us not using ~amd64 in make.conf), so we can just append to it
          * (rsynced)vim /etc/portage/package.accept_keywords
            \ =sys-boot/grub-9999-r1 **
        - (rsynced) set USE flags (for future emerges too)
          \ src: https://wiki.gentoo.org/wiki//etc/portage/package.use
          * mkdir /etc/portage/package.use/
            \ already exists with iputils file
          * nano /etc/portage/package.use/grub
            \ sys-boot/grub -themes debug mount -device-mapper -fonts
        - (rsynced) set FEATURES flags (for future emerges too)
          \ src: https://wiki.gentoo.org/wiki//etc/portage/env
          * nano /etc/portage/package.env
            \ sys-boot/grub grub.conf
          * mkdir /etc/portage/env
          * nano /etc/portage/env/grub.conf
            \ FEATURES="-stricter"
            \ because of this: https://bugs.gentoo.org/show_bug.cgi?id=539606
        - time USE="debug mount device-mapper -themes" FEATURES="-stricter" emerge -av =sys-boot/grub-9999-r1
        - (rsynced)make sure the /etc/portage/patches folder contains the grub patches!!!
          \ so we don't have to do the sed actions below AND XXX: also when updating, the sed action would have to be repeated!!!
          \ using emacs instead of zazdxscf here(because that what I really name my username:P ok dont hack me :)) ):
          * mkdir -p /home/emacs/patches/portage/sys-boot
          * ln -s /home/emacs/patches/portage/ /etc/portage/patches
          * mkdir -p /home/emacs/patches/portage/sys-boot/grub-9999-r1:2
          * pushd /home/emacs/patches/portage/sys-boot
          * ln -rs grub-9999-r1:2 grub-9999-r1
          * ln -rs grub-9999-r1 grub-9999
          * ln -rs grub-9999 grub
          * run this on host (not within ssh!)
            * scp -24vp -P 8822 "/home/emacs/coostomhuston/system/gentoo/rootfs/home/emacs/patches/portage/sys-boot/grub-9999-r1:2"/* root@127.0.0.19:'/mnt/gentoo/home/emacs/patches/portage/sys-boot/grub-9999-r1:2'
              \ the * means *.patch actually, and there are two!
          * ls -la grub
            \ verify the files are there
          * popd
        - time emerge -nav --backtrack=30 \>=sys-boot/grub-9999
        * time emerge -av --backtrack=30 \>=sys-boot/grub-9999
          \ installs fuse too, so 2 packages total, fuse is new
          \ 9m53.618s
          \ //70 packages
          \ //real 148m11s (user 299m46s, sys 41m11s)
        - (rsynced) nano /etc/default/grub
          \ #:set paste
          \ only this line exists (uncommented):
          \ GRUB_DISTRIBUTOR="Gentoo"
          \ so, add more lines:
          \ GRUB_CMDLINE_LINUX="ipv6.disable=1 pnp.debug=1 loglevel=9 log_buf_len=10M printk.always_kmsg_dump=y printk.time=y mminit_loglevel=0 memory_corruption_check=1 nohz=on rcu_nocbs=1-3 pcie_aspm=force fbcon=scrollback:4096k fbcon=font:ProFont6x11 apic=debug dynamic_debug.verbose=1 dyndbg=\"file arch/x86/kernel/apic/* +pflmt ; file drivers/video/* +pflmt ; file drivers/input/* -pflmt ; file drivers/acpi/* -pflmt\" acpi_backlight=vendor radeon.audio=0 radeon.lockup_timeout=20000 radeon.test=0 radeon.agpmode=-1 radeon.benchmark=0 radeon.tv=0 radeon.hard_reset=1 radeon.aspm=1 radeon.msi=1 radeon.pcie_gen2=-1 radeon.no_wb=1 radeon.dynclks=0 radeon.r4xx_atom=0 radeonfb radeon.fastfb=1 radeon.modeset=1 radeon.dpm=1 radeon.runpm=1 rd.debug rd.udev.debug rd.memdebug=3 net.ifnames=1 console=tty1 earlyprintk=vga slub_debug=U noefi dolvm dobtrfs CPUunderclocking"
          \ #slub_debug=U  is for kasan and nicer stack trace, see: https://github.com/google/kasan/wiki  or to switch off: slub_debug=-
          \ the radeon stuff is irrelevant for virtualbox
          \ #i8042.debug
          \ # so apparently this worked: console=tty1,ttyS0,115200n8 earlyprintk=vga,serial,ttyS0,115200,keep   ALTHOUGH the ttyS0 speed seems to be 9600 or something   OK we don't use this, unless there's an error which we need to debug! the speed difference is 20.6 sec with and 3.3 sec without!
          \ # net.ifnames=0  makes eth0 remain eth0 (actually, this has no effect and it gets renamed to p2p1 when sys-apps/biosdevname is installed!)
          \ GRUB_TERMINAL_INPUT="console"
          \ GRUB_TERMINAL_OUTPUT="console" #gfxterm vga_text spkmodem
          \ # note: GRUB_TERMINAL=console overrides both _INPUT and _OUTPUT to same value
          \ #GRUB_SAVEDEFAULT=true #only when ext2, not btrfs! not when LVM also!
          \ GRUB_SAVEDEFAULT=false
          \ #XXX: ^ required to avoid "error: sparse file not allowed. Press any key to continue ..." when /boot (/bewt) filesystem is btrfs; https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/736743
          \ GRUB_DEFAULT=0 #not required for btrfs, but since saved doesn't make much sense unless it's like ext2(non-btrfs), 0 is ok
          \ #GRUB_DEFAULT=saved  #only when not btrfs! (eg. ext2 is ok)
          \ #//fixed: when this ^ is set(to `saved`), grub2-editenv(ran by grub2-mkconfig) will want /boot/grub/grubenv instead of the /bewt one; because grub2-mkconfig is running this: grub2-editenv - list  which uses default path. https://savannah.gnu.org/bugs/?group=grub (it's ssl3) bug-grub@gnu.org (latest grub binary release was in 2012, latest cvs log is from 2013, we're in 2015 now) so, I guess I should just fix this myself without reporting it(not even in gentoo bugs because they probably don't need the noise, since all are likely using /boot). Can't really use the value from ${grub_cfg} variable as that's the one from -o in command: grub2-mkconfig -o /bewt/grub/grub.cfg  and this way I can pull out that folder and use it inside grub2-mkconfig to call: grub2-editenv "/bewt/grub/grubenv" list  Without -o the config is spewed to stdout.
          \ # //fixed below, skip this: manually fix to /bewt/grub/ by executing this: sed -re 's|("\$\{grub_editenv\}" )(\-)( list)|\1"/bewt/grub/grubenv"\3|' -i grub2-mkconfig
          \ GRUB_TIMEOUT=1
          \ # 1 sec timeout
          \ #GRUB_TIMEOUT=-1  #or no timeout
          \ GRUB_TIMEOUT_STYLE=menu
          \ GRUB_DISABLE_RECOVERY=false
          \ GRUB_DISABLE_LINUX_UUID=false
          \ GRUB_DISABLE_OS_PROBER=true
          \ GRUB_ENABLE_CRYPTODISK=y
          \ #^ for LUKS =y, src: http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/
        - (rsynced)patch to look at /bewt instead of /boot
          * grubenv: patch grub2-mkconfig to use /bewt instead of the default /boot
            * grubenv patch TODO: add this to grub-9999-r1 patches; technically we don't need this, but only because hmm it WAS inside lvm, but now it's inside luks only, so we could use the env hmm; actually I don't remember this correctly: is it failing to save grubenv while in grub menu if the fs is btrfs or when it's lvm? anyway do this!
              * sed -re 's|("\$\{grub_editenv\}" )(\-)( list)|\1"/bewt/grub/grubenv"\3|' -i /usr/sbin/grub2-mkconfig
                \ the effect of this is seen when using GRUB_DEFAULT=saved
            - patch this, to correctly detect (grub)root(aka boot device eg. /dev/sda2 that is, not system root / /dev/sda3) XXX: already in patches
              * sed -re 's|(\$\{grub_probe\} --target=device )(/boot)(`")|\1/bewt\3|' -i /usr/sbin/grub2-mkconfig
                * if you forget to apply this, or it's reverted due to updates
                  * old what happens:
                    \ without this you will get this error(example values):
                    \ cleared screen
                    \ "
                    \ Loading Linux x86_64-3.17.7-gentoo ...
                    \ error: file `/kernel-genkernel-x86_64-3.17.7-gentoo' not found.
                    \ Loading initial ramdisk ...
                    \ error: you need to load the kernel first.
                    \
                    \ Press any key to continue...
                    \ "
                    \ (reverts back to menu after 5 sec, even though -1 is the GRUB_TIMEOUT)
                    \ and to fix it (temporarily) you have to edit the kernel and initrd lines and prepend the boot device location as: (hd0,gpt2) for example. Seen when you get into cmdline and do `ls` then `ls (hd0,gpt2)/` to see where your kernel and initrd are located in order to find the correct values for (hd0,gpt2) from the listed ones with `ls`.
                    \ this is just temporary fix to let you boot in, and overrides the wrong search lines which point to your rootfs /  eg. /dev/sda3  instead to your /boot or /dev/sda2 which they should point to, including the set root= line! the UUID is also wrongly pointing to / instead of /boot so it's not enough to just change the (hd0,gpt3) into (hd0,gpt2) where you see them. But just prepending the right, (hd0,gpt2) that is, partition to kernel and initrd lines will get you into booting the system and you now only have to fix grub2-mkconfig with the above sed command before rerunning it again to fix it
          - patch /etc/grub.d/10_linux to use /bewt instead of the hardcoded /boot  XXX: already in patches
            * sed -re 's|/boot/|/bewt/|g' -i "/etc/grub.d/10_linux"
              * what happens (with luks aka now) is: XXX: or maybe this happened because /bewt wasn't mounted and it put it in /bewt (also no grub.cfg was here) 
                \ you don't get to see the menu and you're dropped to rescue shell because prefix and root are pointing to your root partition instead of boot partition
                * to temporarily fix and boot in:
                  \ set prefix=(lvm/vgall-bootlvol)/grub
                  \ set root=(lvm/vgall-bootlvol)
                  \ insmod normal
                  \ normal
        * ensure /bewt is mounted:
          \ df /bewt (if size is like 512M then it's mounted) otherwise, you can only mount it outside of chroot (or if you're not on installCD: mount /bewt)
          \ needed for both grub2-* commands below
          * if it's not mounted eg. #SECONDBOOT then look for luksOpen before trying mount /bewt
            * cryptsetup --verbose luksOpen /dev/sda2 luks_on_sda2_boot
            * mount /bewt
            * df /bewt
        * use genkernel made symlinks and set passwords
          * TODO:(untested!) nano /etc/grub.d/39_passwords
            \ XXX: might need that exec tail line!
            * add passwords
              * prepend these lines(after exec tail, ofc):
                \ set superusers="username1 username2"
                \ password user3 thisisplaintextpassword
                \ password_pbkdf2 username1 grub.pbkdf2.sha512.10000.402EB465....60C1
                \ #that's the output of this line: grub2-mkpasswd-pbkdf2 -s 512
                \ #more: info grub
                \ #that is the password for username1 which is the one that allows booting into kernel
          - (rsynced) nano /etc/grub.d/40_custom
            * add shutdown/reboot grub menu entries
              \# :set paste
              \ menuentry "System shutdown" {
              \    echo "System shutting down..."
              \    halt
              \ }
              \
              \ menuentry "System restart" {
              \    echo "System rebooting..."
              \    reboot
              \ }
            - add genkernel made symlinks (maybe skip this for now)
              \ FIXME: need to use LVM here
              \ using LUKS, more info: https://wiki.gentoo.org/wiki/DM-Crypt_LUKS#Genkernel.2FGenkernel-next
              \ FIXME: need to know UUID here, run blkid /dev/sda2 actually that should be the uuid of /dev/sda3 ? currently: bbf00731-3ee8-4127-82fc-b7424f851989  or should it be of lvm_on_luks_on_sda3_root ? aka pEzkC0-YngX-5GUV-2ULa-BYyA-qFWz-yfRCYT hmm probably the former!
              \ still required to manually add/update (or maybe we can use ``) kernel cmdline options
              \ menuentry "latest compiled Linux" { #only superusers
              \ set root=(hd0,0)
              \ OUTDATED: linux /kernel crypt_root=UUID=bbf00731-3ee8-4127-82fc-b7424f851989 root=/dev/mapper/lvm_on_luks_on_sda3_root ro root_trim=yes ipv6.disable=1 pnp.debug=1 loglevel=9 log_buf_len=10M printk.always_kmsg_dump=y printk.time=y memory_corruption_check=1 nohz=on rcu_nocbs=1-3 pcie_aspm=force fbcon=scrollback:4096k fbcon=font:ProFont6x11 radeon.audio=0 radeon.lockup_timeout=0 radeon.test=0 radeon.agpmode=-1 radeon.benchmark=0 radeon.tv=0 radeon.hard_reset=1 radeon.aspm=1 radeon.msi=1 radeon.pcie_gen2=-1 radeon.no_wb=1 radeon.dynclks=0 radeon.r4xx_atom=0 radeonfb radeon.fastfb=1 apic=debug earlyprintk=vga radeon.modeset=1 radeon.dpm=1 radeon.runpm=1 rd.debug rd.udev.debug rd.memdebug=3 net.ifnames=1
              \ # omitting `root=` after the `linux /kernel` line will cause a prompt for the root device to be mounted
              \ initrd /initramfs
              \ }
              \
              \ menuentry "previous(old) compiled Linux" {
              \ set root=(hd0,2)
              \ linux /kernel.old
              \ initrd /initramfs.old
              \}
              \ # note that hd0,2 is the /bewt /dev/sda2 device, not root / /dev/sda3
              \ while still in vim do: gg=G
              \ to indend whole file
        * grub2-install --compress=xz --target=i386-pc --recheck --debug --locales= --fonts= --boot-directory=/bewt --no-rs-codes --verbose -- /dev/sdb 2>&1
          \ #GRUBY
          \ dev mode(used to track down bugs):
          \ # time ebuild /usr/portage/sys-boot/grub/grub-9999-r1.ebuild configure
          \ 3m18s
          \ # cd /var/tmp/portage/sys-boot/grub-9999-r1/work/grub-9999
          \ # ln -s ~/grub-9999/patches/
          \ ^ assumes quilt patches are in /root/grub-9999/patches/
          \ # quilt push -a
          \ when make clean is needed: # (cd ../grub-9999-pc; make clean) ; time ebuild /usr/portage/sys-boot/grub/grub-9999-r1.ebuild merge
          \ when just recompiling needed: # time ebuild /usr/portage/sys-boot/grub/grub-9999-r1.ebuild merge
          \ end dev mode:
          \ --verbose sets debug=all  as if that was in the grub.cfg as: set debug=all ; seen in: vim util/grub-setup.c +270  as: grub_env_set ("debug", "all");
          \ unsure if part_gpt is needed anymore (since device-mapper USE flag was added to fix this)
          \ apparently with luks+lvm+btrfs, part_gpt module isn't loaded (rescue prompt shows only hd0); at least. without device-mapper USE flag.
          \ --no-rs-codes  because GPT
          \ for when /boot: grub2-install --compress=xz --target=i386-pc --recheck --debug --locales= --fonts= -- /dev/sda 2>&1 |less
          \ kernel must be already compiled before running this (eg. if you used multiple terminals to get here)
          \ --recheck seems to have no effect on the output (diff-checked) it's probably from grub1
          \ FIXME: see why --core-compress is unrecognized (is it EFI only?)
          \ grub2-install: --core-compress: (PROGRAM ERROR) Option should have been recognized!?
          \ //FIXed: grub2-install: error: disk `lvm/vgall-bootlvol' not found.  <-- that - delimiter should be / for gentoo lvm2  - this needed lvm2 package to be installed! go figure!
          \ ^ getting this error even though I had lvm2 installed from genkernel emerge... re-emerging doesn't fix it
          \ fixed above by using lvmetad and havin /run -rbind 
          \ now no error reported except, if I look back:
          \ grub2-install: info: /dev/mapper/vgall-bootlvol is not present.
          \ grub2-install: info: guessed root_dev `lvm/vgall-bootlvol' from dir `/bewt/grub/i386-pc'.
          \ this is bad because it doesn't even show the grub menu
          \ the git version of grub at least fails:
          \ grub2-install: error: disk `lvm/vgall-bootlvol' not found.
          \ dayum, even with correct /etc/mtab (inside chroot) it still gives the same error: http://dpaste.com/0D1Y5C4.txt
          \ with or w/o mtab, I now get: grub2-install: error: failed to get canonical path of `/dev/mapper/vgall-bootlvol'. Nevermind, I forgot to mount /dev in chroot too.
          \ fixed (added USE flag device-mapper): http://dpaste.com/08EP4FE.txt
          \ and the log using git version of grub: http://dpaste.com/31A2AW7.txt
          \ yep not found! failed! ('cause the non-git version, wouldn't say anything but would fail to boot!)
          \ grub2-install: error: disk `lvmid/31WF5i-VxBz-zdr3-CbG5-A37g-tbac-qVYGlO/bu7oYe-uBNK-xWYQ-wIZD-fk1K-fBeb-pSkvNO' not found.
          \ the ids are correct but not sure why it won't find it
          \ so we're stuck at this: http://dpaste.com/2G47HAF.txt
          \ bug at: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1420584
          \ patches are there, but now a new issue:
          \ //lvmid/  paths are useless, grub doesn't find the volumes, unless I use lvm/vgall-bootlvol instead(XXX: turns out it detected root instead of boot and used root's lvmid as grub root-which is supposed to be the /boot for grub - it's only grub2-mkconfig doing this, and it's because /boot vs /bewt and I forgot to apply that patch which I already had above ^ !)
          \ //then after doing that, kernel panics and I cannot scroll up to see exactly why it tries to kill init... and this is why: https://bugzilla.kernel.org/show_bug.cgi?id=90001#c3 aka !! The ramdisk does not support LUKS   (confirmed, for some reason I ran the last genkernel command(seen from ~/.bash_history) with --no-luks
        * need to add root to kernel cmdline
          * find uuid of crypt device by:
            \ cryptsetup luksDump /dev/sdb3 |grep UUID
            \ /dev/sda3 is root partition (not boot one!)
            \ so looks like this: e8b64567-124a-46a7-a167-d3d9c041de35
          * vim /etc/default/grub
            \ ie. prepend this to GRUB_CMDLINE_LINUX
            \ crypt_root=UUID=e8b64567-124a-46a7-a167-d3d9c041de35 root_trim=yes rd.luks.uuid=e8b64567-124a-46a7-a167-d3d9c041de35 rd.luks.allow-discards
            \ NOTE: for now rd. ones are not used, unless you use dracut (aka manual mode of compiling the kernel, instead of via genkernel!)
        * grub2-mkconfig -o /bewt/grub/grub.cfg 2>&1
          \ this generated /bewt/grub/grub.cfg
          \ XXX: /bewt needs to be mounted: mount /bewt
          \ XXX: run only this command(mkconfig one) if you've changed /etc/default/grub
        * ls -la /boot
          \ should be empty!!! because used /bewt
          \ well there's ".keep" file from tar unpacking!
        * ls -la /bewt
          \ example:
          \ drwxr-xr-x 1 root root     306 Apr 15 01:38 .
          \ drwxr-xr-x 1 root root     352 Apr  9 19:34 ..
          \ drwxr-xr-x 1 root root      66 Apr 15 01:42 grub
          \ lrwxrwxrwx 1 root root      42 Apr 15 00:54 initramfs -> initramfs-genkernel-x86_64-3.18.9-hardened
          \ -rw-r--r-- 1 root root 5204228 Apr 15 00:54 initramfs-genkernel-x86_64-3.18.9-hardened
          \ lrwxrwxrwx 1 root root      39 Apr 15 00:32 kernel -> kernel-genkernel-x86_64-3.18.9-hardened
          \ -rw-r--r-- 1 root root 4310144 Apr 15 00:32 kernel-genkernel-x86_64-3.18.9-hardened
          \ lrwxrwxrwx 1 root root      43 Apr 15 00:32 System.map -> System.map-genkernel-x86_64-3.18.9-hardened
          \ -rw-r--r-- 1 root root 2302717 Apr 15 00:32 System.map-genkernel-x86_64-3.18.9-hardened
        * inspect grub.cfg a bit (should've worked if the grub patches were in place!)
          \ vim /bewt/grub/grub.cfg
          \ see if "set root=" is something of (blkid /dev/sdb2 | grep UUID)
          \ eg. cryptouuid/e07b18f3310f494d9104a791e4722476
          \ and 1st part of hint has the same uuid eg. cryptouuid/e07b18f3310f494d9104a791e4722476
          \ and 2nd part of hint has the uuid of (blkid /dev/mapper/luks_on_sda2_boot | grep UUID) eg. 3a6305a7-57aa-4712-a6d3-60e10bcee71e
          \ and the root in the 'else' is the same /dev/mapper/luks_on_sda2_boot uuid as reported by blkid eg. 3a6305a7-57aa-4712-a6d3-60e10bcee71e
          \ and the root= within the linux line is root=/dev/mapper/vgall-rootlvol  and the crypt_root=UUID= on the same line that follows is ofc a totally different id than the above mentioned two because it's the blkid of the / (actual root; not the grub root which to grub is the boot device) eg. it's crypt_root=UUID=e8b64567-124a-46a7-a167-d3d9c041de35 (aka blkid /dev/sdb3  the UUID not the PARTUUID!)
      * (will also attempt to close later, outside of chroot!) close /bewt luks
        \ but close it now! so that other programs from emerge don't have access to it!
        * umount /bewt
          \ DON'T unmount it here, because it was mounted from outside chroot!
        * cryptsetup --verbose luksClose /dev/mapper/luks_on_sda2_boot
        * when you wanna mount it later (when sys is running):
          \ cryptsetup --verbose --allow-discards luksOpen /dev/sdb2 luks_on_sda2_boot
          \ yeh sdb while we're booted from customiso usbstick(/cardread) because this is the order in which bios sets them.
          \ mount /bewt
      - (skipped for now) backup boot ...
        * sync; time dd if=/dev/sda2 of=/dev/mapper/vgall-bootlvolbackup bs=100M ; sync
          \ //old: yep 537MB reported is 512M in fact (536870912 bytes (537 MB) copied, 7.76532 s, 69.1 MB/s)
          \ 1073741824 bytes (1.1 GB) copied, 25.8407 s, 41.6 MB/s
          \ 25s
        * TODO: do something with this backup... dno what at this time, eg. check for modifications after having booted, even though there shouldn't be any because only grub is mounting that one at grub menu, kernel isn't mounting it! unless you manually do luksOpen later on! in other words it should be readonly mounting by grub only!
          \ maybe vbindiff the devices, heh
          * time emerge -nav vbindiff
          * 
      * disable some services
        * rc-update del netmount
          \  * rc-update: service `netmount' is not in the runlevel `default'
          \ yep rsync-ed
          \ //* service netmount removed from runlevel default
          \ rc-update: service `netmount' is not in the runlevel `sysinit'  (or 'boot')
      - (rsynced) don't clear tty1 on boot (and logout)
        * nano /etc/inittab
          \ replace line:
          \ c1:12345:respawn:/sbin/agetty 38400 tty1 linux
          \ with:
          \ c1:12345:respawn:/sbin/agetty 38400 --noclear tty1 linux
        - but clear it on logout (XXX: or not, shift+pgup will work anyway, with my patch; so this just offeres a fake sense of security)
          * be logged in as root
          * vim ~/.bash_logout
            \ new file, append line:
            \ clear
    * time emerge @preserved-rebuild
      \ //1m41s
    * rebooting #REBOOT #SHUTDOWN #SECONDBOOT
      * exit
      * cd
      * ensure you exited all OTHER ssh terminals
      * umount --lazy /mnt/gentoo/{dev/{shm,pts,},sys/}
      * umount /mnt/gentoo/{bewt,proc,var/tmp/portage,var/tmp,tmp,run,}
      * cryptsetup --verbose luksClose /dev/mapper/luks_on_sda2_boot
        \ already done from above
      * close lvm volumes
        * lvm lvchange --verbose -a n vgall
          \ works, tested!
          \ or: vgchange -van vgall
          \ (untested)
      * cryptsetup --verbose luksClose /dev/mapper/lvm_on_luks_on_sda3_root
      * sync
        \ not really needed
      * reboot & exit
        \ poweroff & exit
        \ ^ is what you do in the future (not from live cd though) to ALSO logout
        \ NOTE: doesn't matter what u had on virtualbox's console running, unless u were chrooted(but you did that yourself!)
        \ hmm uptime 4 hours 25mins
      - remove CD from virtual drive (in virtualbox) OR it will boot from CD!!
  * boot from hdd
    * finalizing (after booted in)
      - rm /stage3-*.tar.bz2*
        \ actually keep this, just in case we wanna check the originals
      * fstrim -v --all
        \ //well we haven't enabled `discard="true"` inside .vbox file so we can't use this(hdparm -I /dev/sda will not report TRIM)
      - then on host
        \ sudo fstrim -v --all
    - (already rsynced)coredumps enabled
      * vim /etc/security/limits.conf
        \ 0:             soft      core       unlimited
        \ #^ all uids from 0 upwards! so what I thought * was doing!
        \ #hmm works with su -, but not with ssh !
    - get tlp  (there's no tlp for gentoo!)
      * time emerge -nav tlp
    * execute this to delay hdd sync-ing! TODO: get these to be executed on boot
      * echo 60000 > /proc/sys/vm/dirty_writeback_centisecs
        \ default is 500 aka 5 sec
        \ value is in centisecs (1 sec = 100 centisecs)
        \ src: manjaro root /usr/lib64/tlp-pm/tlp-functions
      * echo 360000 > /proc/sys/vm/dirty_expire_centisecs
        \ default is 3000 aka 30 secs  (so 6 times more than the above)
        \ adjusted accordingly from 10 mins(the above) to(times 6) 60 mins(this one)
    * edit metalog config to not be sync-y
      * vim /etc/metalog.conf
        - add "async" line below the "maxfiles" line, so that's on line 6
          \ nope, it's: flush = 0
        * add "flush = 0" line at the beginning, after the "maxfiles ..." line, so on line 6
          \ flush = 0
          \ ratelimit = 0
          \ ratelimit_burst = 100
      * /etc/init.d/metalog restart
        \ restart it and hope it works! I've no way of verifying this!
        \ it doesn't err at all even if I add a line: shiet
        \ what kind of retarded shiet program is this? :)
    - (not working!) remove some virtualbox stuff
      * time emerge -av --depclean x11-drivers/xf86-video-virtualbox
        \ ok this isn't working because this doesn't exist, it's only in the world file! which got rsync-ed
    * time emerge-webrsync -v -k
      \ like 3min max
      * time USE=-qt4 emerge -av cmake
        \ need cmake for llvm first or else circular dependency! (this is because of the world file containing all packages and stuff, due to rsync)
        \ Total: 2 packages (2 new), Size of downloads: 10847 KiB
        \ dur: real 13m57.141s, user    32m33.253s, sys 6m13.520s
      * remove chromium from world
        * vim /var/lib/portage/world
          \ remove lines:
          \ chromium
          \ firefox
          \ x11-drivers/xf86-video-virtualbox
          \ app-emulation/virtualbox-guest-additions
          \ sys-devel/gcc:4.8
          \ because we're using sys-devel/gcc:5.2 although gcc-config -l is right now saying 4.8.5 is available in list! but it's actually only available in that list! hmm... rsync is to blame for this one!
      * temporarily turn off all logging 'cause this is crazy!
        * sysctl -w kernel.grsecurity.exec_logging=0 ; sysctl -w kernel.grsecurity.chroot_execlog=0 ; sysctl -w kernel.grsecurity.audit_chdir=0 ; sysctl -w kernel.grsecurity.audit_mount=0 
          \ kernel.grsecurity.exec_logging = 0
          \ kernel.grsecurity.chroot_execlog = 0
          \ kernel.grsecurity.audit_chdir = 0
          \ kernel.grsecurity.audit_mount = 0
          \ ----
          \ these not: sysctl -w kernel.grsecurity.signal_logging=0 ; sysctl -w kernel.grsecurity.forkfail_logging=0 ; sysctl -w 
          \ sysctl -w kernel.grsecurity.resource_logging=0 
          \ sysctl -w kernel.grsecurity.audit_ptrace=0 
          \ don't log mount because cgroups get mounted a lot during emerge execution (unless I misremember something)
      * time emerge --verbose --tree --update --deep --with-bdeps=y --changed-use --ask @world
        \ //33sec to show error (if cmake above wasn't already installed!)
        \ //Total: 402 packages (9 upgrades, 371 new, 4 in new slots, 18 reinstalls), Size of downloads: 1590463 KiB
        \ //dur:  1m48s until fail, chromium needs disk space (and I'm using tmpfs!)
        \ Total: 370 packages (9 upgrades, 340 new, 3 in new slots, 18 reinstalls), Size of downloads: 958599 KiB
        \ ok wait, (recompiling kernel without grsec spewing msgs on syslog! then redoing this! ok, not recompiling because I can use sysctl)
        \ Total: 370 packages (9 upgrades, 340 new, 3 in new slots, 18 reinstalls), Size of downloads: 958599 KiB
        \ Total: 370 packages (9 upgrades, 340 new, 3 in new slots, 18 reinstalls), Size of downloads: 958599 KiB
        \ dur: 24min until the gsm error due to DEBUG=1 in bash env being set so.
        \ done: x11-drivers/xf86-video-ati-7.5.0 says:
        \  CONFIG_FB_RADEON:   should not be set. But it is.
        \ * Please check to make sure these options are set correctly.
        \ fixing that first!
        - time emerge --verbose --tree --update --deep --with-bdeps=y --changed-use --ask --backtrack=30 @world
          \ added --backtrack=30
          \ still fail, when circular dependencies detected!
        * time DEBUG= emerge -nv media-sound/gsm
          \ dur:  40s
        * time emerge --verbose --tree --update --deep --with-bdeps=y --changed-use --ask @world
          \ Total: 340 packages (7 upgrades, 312 new, 3 in new slots, 18 reinstalls), Size of downloads: 0 KiB
          \ dur: real 91m7s, user 52m48.200s, sys 54m38.826s
          \ until fontconfig error!
        * delete files:
          * rm -v /etc/env.d/37fontconfig /etc/fonts/fonts.conf /etc/sandbox.d/37fontconfig
        * time emerge --verbose --tree --update --deep --with-bdeps=y --changed-use --ask @world
          \ Total: 217 packages (7 upgrades, 194 new, 2 in new slots, 14 reinstalls), Size of downloads: 0 KiB
          \ dur: 4min because it died(dumped core) after a Ctrl+S, scroll up for like 1 min, then Ctrl+Q  taken as Quit for some reason; all I wanted was scrollLock! looks like MAYBE I did a Ctrl+Alt+4 (or Ctrl+4) which always causes core dump.
          \ rerunning
          \ Total: 214 packages (6 upgrades, 192 new, 2 in new slots, 14 reinstalls), Size of downloads: 0 KiB
          \ dur: 14m11s until collision
        * rm -v /etc/env.d/44qt4-x86_64-pc-linux-gnu
          \ for package: dev-qt/qtcore-4.8.7
        * time emerge --verbose --tree --update --deep --with-bdeps=y --changed-use --ask @world
          \ Total: 213 packages (6 upgrades, 191 new, 2 in new slots, 14 reinstalls), Size of downloads: 0 KiB
          \ dur: 170min29sec until collision
        * rm -v /etc/env.d/50gconf /etc/gconf/2/path
          \ for pkg: gnome-base/gconf-3.2.6-r3
        * time emerge --verbose --tree --update --deep --with-bdeps=y --changed-use --ask @world
          \ Total: 106 packages (4 upgrades, 94 new, 2 in new slots, 6 reinstalls), Size of downloads: 0 KiB
          \ dur: 7m2s until I C-c so I could remove livecd-tools
          \ rerunning,
        * get mc since it's using git
          * time emerge -av =app-misc/mc-9999
            \ pulls only mc, dur: 6m8.488s
        * time emerge --verbose --tree --update --deep --with-bdeps=y --changed-use --ask @world
          \ Total: 102 packages (4 upgrades, 93 new, 1 in new slot, 4 reinstalls), Size of downloads: 0 KiB
          \ dur: 3m4.859s until collision
        * rm -v /etc/env.d/90xdg-data-base /etc/env.d/30xdg-data-local
          \ for pkg: x11-misc/xdg-utils-1.1.0_rc3_p20150825
        * time emerge -nav x11-misc/xdg-utils
          \ dur: about 1min
          \ confirmed the newly put files have the same content!!! only their dates are different
        * 2 more are set to be -9999 version: cairo and ffmpeg! unsetting them
          * vim /etc/portage/package.accept_keywords
            \ comment out the lines with -9999  except for: mc and grub
        * time emerge --verbose --tree --update --deep --with-bdeps=y --changed-use --ask @world
          \ Total: 99 packages (4 upgrades, 90 new, 1 in new slot, 4 reinstalls), Size of downloads: 42911 KiB
          \ needs internet again.
          \ that will now get: x11-libs/cairo-1.14.2 media-video/ffmpeg-2.8
          \ dur: real    230m12.924s, user    330m9.855s, sys     165m40.526s
          \ until dev-libs/libunique-1.1.6 failed compilation due to DEBUG=1
          \ hmm why 1.1.6 though? 
        * time DEBUG= emerge -nav dev-libs/libunique
          \ wants to install 3.0.2 version!
          \ dur: 1m13.285s
        * something still wants libunique 1.1.6 !!
          * time DEBUG= emerge -nav =dev-libs/libunique-1.1.6-r1
            \ dur: 1m5s until fail, with DEBUG=1
            \ dur: 1m23.558s
        * time emerge --verbose --tree --update --deep --with-bdeps=y --changed-use --ask @world
          \ Total: 37 packages (1 upgrade, 36 new), Size of downloads: 0 KiB
          \ dur: 10m17.959s until I C-c it to remove pcmanfm from world! (will use xfdesktop even though it's different!) oh, wait, pcmanfm is a filemanager too! so we still need it! crap! keeping pcmanfm then...; rerunning
          \ Total: 30 packages (30 new), Size of downloads: 0 KiB
          \ dur: real    80m47.502s, user    62m12.540s, sys     60m2.903s
    * do the needed stuff after an --update
      * hash -r && env-update && source /etc/profile && source ~/.bash_profile
      * reinstall perl modules (after each perl update, apparently)
        * time perl-cleaner --all
          \ 1m57.774s
      * any pam? (they need restart after this pam update)
        * lsof / | egrep -i 'del.*libpam\.so'
          \ none
      * time emerge @preserved-rebuild
        \ old name for this whole command is: revdep-rebuild
        \ rebuilds pinentry, as mentioned by the prior emerge
        \ 9m32s
      * dispatch-conf
        \ z to zap new, since that's the default and we don't want that
    * disable autoconfig
      * rc-update del autoconfig
        \  * service autoconfig removed from runlevel default
      * /etc/init.d/autoconfig stop
      * rc-status
    * wtf xdm-setup?
      * /etc/init.d/xdm-setup stop
    * oh yeah don't need sshd on bare metal:
      * rc-update del sshd
        \  * service sshd removed from runlevel default
      * /etc/init.d/sshd stop
    * time emerge -av --depclean app-misc/livecd-tools
      \ removes hwsetup from rc-status
      \ 29s
      * time emerge -av --depclean sys-apps/hwsetup
        \ 24s
    * alsasound removal
      * /etc/init.d/alsasound stop
      * time emerge -av --depclean media-sound/alsa-utils
        \ 26s
      * rc-status
        \ now this looks acceptable!
    * note: most stuff from below we already have NOW due to the world file having been rsync-ed AND the emerge --update from above!
    * get gdb
      * time emerge -nav sys-devel/gdb
        \ //16m3s
        \ getting gdb before gcc recompile because gcc compiling segfaults 3 times
    * remove leftover gcc files (from 4.8.5) which don't actually point to any existing gcc (4.8.5) because only 5.2.0 is existing! (this is due to rsync!)
      * ls -la /usr/x86_64-pc-linux-gnu/gcc-bin/
        \ see that only 5.2.0 is active!
      * gcc-config -l
        \ see that 4.8.5 versions are reported too! (aside from the 5.2.0 which is CURRENT!! if it's not current for wtw reason, make it so)
      * rm -v /etc/env.d/gcc/x86_64-pc-linux-gnu-4.8.5*
        \ files only; remove that 4.8.5
      * gcc-config -l
        \ observe the updated list!
      * hash -r && env-update && source /etc/profile && source ~/.bash_profile
        \ for good measure!
    * update gcc
      \ based on these instructions: https://wiki.gentoo.org/wiki/Upgrading_GCC#Short_Version
      * remove stack protector warning
        * vim /etc/portage/make.conf
          \ vim I installed at some point, got tired of nano
        * remove -Wstack-protector from CFLAGS
      * time emerge -nav '>=sys-devel/gcc-5.2'
        \ answer y to make changes (adds ** keyword aka testing?, for this gcc)
        \ installed 5.2.0 (from 4.8.4 p1.6)
        \ failed after 27min of compilation, due to:
        \ /var/tmp/portage/sys-devel/gcc-5.2.0/work/gcc-5.2.0/libgomp/team.c:273:1: error: stack protector not protecting local variables: variable length buffer [-Werror=stack-protector]
        \ which is because warnings are treated as errors and CFLAGS
        \ continued, extra 106m13s
      - time emerge -navu sys-devel/gcc:5.1
        \ 5.1 needed when using git sources or else some string.h 'new' variable error will be hit with 4.9 gcc!
        \ 5.1, duration: 95m21s
        \ //this will install 4.8.5 AND 4.9.3 versions; I should've added :4.9  to get only 4.9.3 which would've been latest ~amd64  (5.1.0 and 5.2.0 are well untagged, and 5.2.0 is not supported later by xf86-video...)
        \ //141m52s (this is explained because both gcc versions got installed!)
        - dispatch-conf
          \ u
        - run the above emerge again!
          \ yep again, it will start this time!
          \ will fail if -DDEBUG is in CFLAGS!! https://bugs.gentoo.org/show_bug.cgi?id=545316#c12
          \ duration, at least: 76m43s
          \ XXX: segfaults 3 times !! and still succeeded  (seen as cc1plus on dmesg)
          \ actually no segfaults happened! 5.2.0
      * gcc-config -l
        \ [1] x86_64-pc-linux-gnu-4.8.4 *
        \ [2] x86_64-pc-linux-gnu-4.8.4-hardenednopie
        \ [3] x86_64-pc-linux-gnu-4.8.4-hardenednopiessp
        \ [4] x86_64-pc-linux-gnu-4.8.4-hardenednossp
        \ [5] x86_64-pc-linux-gnu-4.8.4-vanilla
        \ [6] x86_64-pc-linux-gnu-5.2.0
        \ [7] x86_64-pc-linux-gnu-5.2.0-hardenednopie
        \ [8] x86_64-pc-linux-gnu-5.2.0-hardenednopiessp
        \ [9] x86_64-pc-linux-gnu-5.2.0-hardenednossp
        \ [10] x86_64-pc-linux-gnu-5.2.0-vanilla
      * gcc-config 6
        \ pick the newest one
      * env-update && source /etc/profile ; source ~/.bash_profile
        \ looks like gcc-config already runs env-update!
      - Ctrl+R, PS1
        \ export PS1="(chroot1) $PS1"
      * time emerge --oneshot libtool
        \ duration: 2m28s
      - TODO: report this(that on gcc upgrade(U), there's leftover configs): actually 4.8.4 doesn't exist anymore, it got U pgraded! but the config remained! eg. can't depclean it
        * rm /etc/env.d/gcc/x86_64-pc-linux-gnu-4.8.4
        * gcc-config -l
      * keep old gcc? yes
        * if yes then: emerge -nav sys-devel/gcc:4.8
        - if yes then: emerge -nav =gcc-4.8.4 or emerge -nav sys-devel/gcc:4.8 (will add it to favorites, so that --depclean won't remove it next time)
          \ -n is --noreplace
          \ adds gcc:4.8 to favs regardless of which command was used!
        * if not then:
          * time emerge -av --depclean  (XXX: but I wanna keep the old gcc for now, so don't!)
            \ this will remove old gcc version (4.8.3 in this case)
      * time emerge @preserved-rebuild  (old version of this: revdep-rebuild)
        \ //revdep-rebuild command is part of gentoolkit package
        \ finds nothing to update, usually!
      - gcc-config -l
        \ that old one still in list? https://bugs.gentoo.org/show_bug.cgi?id=130772#c18
        * rm /etc/env.d/gcc/x86_64-pc-linux-gnu-4.8.3
          \ remove old one from list
          * for uclibc hardened:  
            \ rm /etc/env.d/gcc/x86_64-gentoo-linux-uclibc-4.8.3
            \ remove the 4.8.3 from:
            \ nano -w /etc/env.d/04gcc-x86_64-gentoo-linux-uclibc
            \ env-update && source /etc/profile
        * FEATURES="-test -stricter" emerge -a '>sys-libs/uclibc-0.9.33.2-r11'
        * FEATURES='-test' emerge @preserved-rebuild  (old cmd: revdep-rebuild)
          \ rebuilds gcc, man, man-db
          \ and fail
        * time emerge @preserved-rebuild  //revdep-rebuild, hmm same errors again? wtf
          \  * Checking dynamic linking consistency
          \ [ 30% ]  *   broken /usr/bin/man (requires libman-2.7.1.so (0x00000000)
          \ libmandb-2.7.1.so (0x00000000))
          \ [ 31% ]  *   broken /usr/bin/mandb (requires libman-2.7.1.so (0x00000000)
          \ libmandb-2.7.1.so (0x00000000))
          \ [ 50% ]  *   broken /usr/lib/gcc/x86_64-gentoo-linux-uclibc/4.9.2/libcilkrts.la (requires -lpthread)
          \ *   broken /usr/lib/gcc/x86_64-gentoo-linux-uclibc/4.9.2/libcilkrts.la (requires -ldl)
          \ [ 54% ]  *   broken /usr/lib/libltdl.la (requires -ldl)
          \ [ 100% ]     
          * looks like it's because I removed that /lib and /usr/lib folders, putting them back skips gcc in above list ^
          * and to fix man-db from being detected as broken, I've to also add /usr/lib/man-db/ to LDPATH TODO: tomorrow
        * gcc-config -l
          \ check that it was done
        * may also check if any other file is using the old one
          \ cd /etc/env.d && grep -r 4.8.3
          \ src: https://wiki.gentoo.org/wiki/Changing_the_CHOST_variable#Verifying_things_work
      * gcc --version
      - env-update && source /etc/profile
        \ to be sure
    * time emerge -nav sys-apps/mlocate 
      \ //1m0s
      \ to have the locate command
    * time emerge -nav firefox
      \ dur: 70m17s until collision: /etc/revdep-rebuild/10firefox
      \ real  70m17.392s
      \ user  179m40.379s
      \ sys 30m6.000s
      \
      \ postponing until the following bash and readline emerges finish, just in case any packages get used by firefox!
    * update bash to 4.4_alpha-r1 to avoid a syntax error in PS1 of .bashrc when the end "\" is not preceeded by space after an ")", eg. this works: $(evalexitcode "${__earlyec[@]}" ) \
      \ but this fails: $(evalexitcode "${__earlyec[@]}" )\
      \ see? ") \" vs ")\"
      * time emerge -avu =bash-4.4_alpha-r1
        \ duration: real  36m35.645s  (with firefox compiling in the background for a while)
        \ user  18m38.247s, sys 21m17.847s
        \ it also recompiles readline (a newer, alpha version!)
        \ Total: 12 packages (2 upgrades, 10 reinstalls), Size of downloads: 21403 KiB
      * ok lvm reemerge says I need this
        * rc-update add lvm boot
          \ wasn't there, only lvmetad was.
      * set empty value to this kernel config: CONFIG_UEVENT_HELPER_PATH
        \ currently CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
        \ which doesn't exist as a file!
        * recompile kernel!
          \ 4m30s
      * killall gpg-agent
      * time emerge @preserved-rebuild
        \ 8 packages depending on old readline needed recompile!
        \ dur: 17m21s until I stopped it to emerge-webrsync -v -k (which took 2m11s)
        \ restarted, 3 packages left
        \ dur: 18m24.698s, user 16m54.190s, sys 10m52.580s
    * time emerge -nav =vlc-9999
      \ //Total: 3 packages (3 new), Size of downloads: 25101 KiB
      \ //dur:  16m26.074s, user  17m26.450s, sys 11m26.797s
      \ after adding USE="opus ogg" to /etc/portage/make.conf and then:
      \ time emerge --verbose --tree --update --deep --with-bdeps=y --changed-use --ask @world
      \ Total: 8 packages (3 new, 5 reinstalls), Size of downloads: 5044 KiB
      \ dur: 36m17.430s
      \ done: should really emerge vlc git, not just vlc (2.2.1)!!
      \ WARNING: git download is limited to about 300.00 KiB/s (total: 247.32 MiB)
      \ -9999 duration: 31m46.405s, user  24m32.440s, sys 15m34.103s  (with vlc playing in the background)
      \ re-emerging git vlc with new USE flags!
      \ duration: 10m27.017s (oops the USE flags weren't in effect! redoing)
      \ time emerge --verbose --tree --update --deep --with-bdeps=y --changed-use --ask @world
      \ Total: 21 packages (20 new, 1 reinstall), Size of downloads: 22564 KiB
      \ duration: real  41m31.405s, user  35m41.256s, sys 26m31.080s
      \ got some bad flags and some mkv and webm files which previously played, don't anymore:
      \ [000003ab5dc6dac0] xml xml reader error: XML parser error (line 1) : Document is empty
      \ [matroska,webm @ 0x3ab5d60c070] EBML header parsing failed
      \ re-emerging (with USE=-xml), duration: 12m55.745s
      \ yep vids work now, so ignore this: [00000397f18f85d0] core demux error: XML provider not found
      \ .webm with audio codec opus doesn't play (no audio, no sound), so removed USE flag: vorbis (no effect)
      \ duration(while compiling virtualbox): 18m19.347s
      \ disabling flag ogg(no effect):
      \ duration: 11m51.265s
      \ next, disabling opus(no good!can't decode) (although I remember this didn't work for .opus files before! and I'm pretty sure ffmpeg had opus support, so vlc wasn't able to fall back to it or something, since it didn't play *.opus)
      \ duration: 12m2.735s
      \ yep, cannot even play: Codec not supported:
      \ VLC could not decode the format "Opus" (Opus Audio)
      \ rebuilt with more defaults, dur: 11m57.000s  (no effect)
      \ rebuilt back with initial manually set flags, dur: 15m7.376s
    * time emerge -nav firefox
      \ dur: 13m26.503s  (it was 70min before! this was an emerge(not ebuild) rerun, and thanks to ccache!)
      \ uses 7.1G in /var/tmp/portage/
      \ recompilation takes: 22m4.151s (because it also created binpkg for existing!)
    - (already updated) update bash to fix the HISTSIZE=-1 bug as follows: (don't update .bashrc yet!)
      \ this updates readline to latest/unstable, which is used below when installing gnupg (XXX: unsure how affected this is, because doing them in reverse order then doing this emerge --update --ask @world  doesn't update gnupg at all so maybe it is using latest readline anyway)
      * time emerge -nav ">bash-4.3"
        \ --autounmask-write
      * dispatch-conf
        \ u - to use new
      * emerge -a ">bash-4.3"
        \ To see what that U flag means when emerge lists packages with --ask, man emerge search for: --pretend \(-p\)
    - remove xscreensaver until fixed the unlocking issue(never unlocks even if password is good!)
      * time emerge -av --depclean xscreensaver
        \ dur: ok, can't remove this because ARE YOU FUCKING KIDDING ME?! (you again)     xfce-base/xfce4-session-4.12.1 requires >=x11-misc/xscreensaver-5.26
        \ and xflock4 (which is what's run on Ctrl+Alt+L) is part of xfce-base/xfce4-session-4.12.1 (/usr/bin/xflock4)
    * get vim
      * nano -w /etc/portage/package.use/vim
        \ put this line:
        \ app-editors/vim -debug
        \ this is just in case debug flag is enabled globally (whenever)
        \ must disable debug flag for vim to avoid creating of nfa_regexp_*.log files in current folder whenever vim gets invoked!  these files, especially nfa_regexp_run.log can get very big very fast eg. 200+ MB
      * time emerge -nav app-editors/vim
        \ //25m46s
      - time emerge -av app-vim/vim-spell-en
        \ vim ~/.vimrc
        \ :setlocal spell spelllang=en
        \ avoid this because of too many red stuffs when editing make.conf
      - (already rsync-ed)put in ~/.bashrc in root only (because zazdxscf will be updated below):
        * vim ~/.bashrc
          \ EDITOR="/usr/bin/vim"
      - fix too dark blue with urxvt
        * vim ~/.vimrc  (new file), append this line:
          \ colorscheme torte
          \ " to allow for lines in edited files like this to take effect:
          \ " # vim: set ts=2:
          \ " set modeline
          \ " ok security vuln. don't set modeline! use securemodelines script (somehow)
      - (done with rsync above)actually use my real .vimrc here
        \ From host(so not within virtualbox) execute:
        \ scp -P 8822 -4vp ~/.vimrc root@127.0.0.21:/mnt/gentoo/root
      - (done rsync) auto mkdir /tmp/vim  put this in ~/.bashrc
        \ mkdir --mode=700 --parents -- /tmp/vim/
    * Midnight Commander
      - done: place my mc patches in /etc/portage/patches or something here, before emerge
      * time emerge -avu app-misc/mc
        \ actually have to use -av here when mc-9999 is installed, or else nothing will be re-installed! (-avu and -nav will skip it)
        \ //9m4s
        \ 2 packages
        \ from /var/log/portage/elog/summary.log :
        \ To enable exiting to latest working directory,
        - (already in rsync) put this into your ~/.bashrc:  (zazdxscf user will be updated later)
          \ source /usr/libexec/mc/mc.sh
    * recompile all, based on what changed in USE flags and also update!
      * before updating, consider masking gcc:4.8 or else 4.8.5 (previously 4.8.4 being installed) will be the next emerged which isn't bad but we likely don't need to ever use the 4.8 gcc series again.
      * time emerge --verbose --tree --update --deep --with-bdeps=y --changed-use --ask @world
        \ //Total: 141 packages (88 upgrades, 27 new, 3 in new slots, 23 reinstalls, 1 uninstall), Size of downloads: 360,506 KiB
        \ //duration: 527m15s (gentoo hardened)
        \ //Total: 179 packages (89 upgrades, 64 new, 4 in new slots, 22 reinstalls, 1 uninstall), Size of downloads: 527,311 KiB
        \ //duration: 443m3s (gentoo normal)
        \ Total: 151 packages (99 upgrades, 17 new, 3 in new slots, 32 reinstalls, 2 uninstalls), Size of downloads: 362,717 KiB
        \ stopped after 52m47s due to power outtage
        \ 142 packages left, took an extra:  545m4s (641m48s user, 509m32s sys)
        \ https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Portage#Updating_the_system
        \ running that will sometimes update kernel sources (that is, get a new set of sources for next kernel version, alongside existing ones) - to update kernel read here https://wiki.gentoo.org/wiki/Kernel/Upgrade#Installing_and_using_a_new_kernel done: get the steps(see Kernel section in this wofl file)
      * when you see: IMPORTANT: 2 config files in '/etc' need updating.
        \ in current case the new configs are just the default ones which we shouldn't put back (so zap new to avoid them, below)
        \ just run: dispatch-conf
        \ //to see which package owns dispatch-conf do: equery b dispatch-conf
        \ //and it's part of portage, sys-apps/portage-2.2.14
        \ it will try to apply these files(which are newer supposedly):
        \ find /etc -name '._cfg????_*'
        \ you may want to zap-new since it's likely that the new config(+++) is the default one when compared with what we've changed like /etc/locale.gen
      * hash -r && env-update && source /etc/profile && source ~/.bash_profile
      * reinstall perl modules (after each perl update, apparently)
        * time perl-cleaner --all
          \ //9m43s
          \ 1m39s finds nothing
      * any pam? (they need restart after this pam update)
        * lsof / | egrep -i 'del.*libpam\.so'
          \ none
      * time emerge @preserved-rebuild
        \ old name for this whole command is: revdep-rebuild
        \ rebuilds pinentry, as mentioned by the prior emerge
        \ 9m32s
      * dispatch-conf
        \ z to zap new, since that's the default and we don't want that
      * select latest python, or it will be depcleaned!
        \ note: any python that's not 2.7 or the selected 3.4 (eg.3.3.5) will be removed with the depclean below
        * eselect python list
          \ [1]   python2.7 *
          \ [2]   python3.4
        * eselect python set 2
        * eselect python list
          \ [1]   python2.7
          \ [2]   python3.4 *
      * time emerge -av --depclean
        \ All selected packages: =sys-auth/realtime-base-0.1 =sys-fs/dmraid-1.0.0_rc16-r3
        \ =sys-apps/hwdata-gentoo-0.4 =media-libs/portaudio-19_pre20140130 =sys-libs/libkudzu-1.2.57.1 =media-libs/audiofile-0.3.6-r1 =sys-boot/grub-static-0.97-r12 =media-libs/libsdl-1.2.15-r9 =net-dialup/mingetty-1.08 =sys-block/parted-3.2 =media-libs/libsamplerate-0.1.8-r1 =app-admin/localepurge-0.5.4-r2 =x11-apps/scripts-1.0.1-r1 =media-sound/jack-audio-connection-kit-0.124.1
        \ dur: 2m46.006s
        \ old comments follow:
        \ //1m58s
        \ // = old comments not in effect
        \ //if all good and more than 0 packages to remove then, remove the -p param and rerun
        \ //-p is --pretend, no needed when -a aka --ask  well unless you have some pressed keys from before(such as double enter) that will start removing... unless you're quick to C-c in the next 5 sec(countdown is shown after the answer to question is Yes)
        \ //this also removes leftover gcc 4.8.3 (which I kept until now) - not anymore, I added it to favs
      * time emerge @preserved-rebuild
        \ re-emerges perl /:  9m33s
    - (rsynced)multi off
      * vim /etc/host.conf
        \ multi off
    * if gcc 4.8.4 got updated to 4.8.5 then there's one leftover file which needs deleting or else gcc-config -l shows it in the list but cannot be selected due to missing other files(it was removed after all: equery l gcc  see?)
      * mv /etc/env.d/gcc/x86_64-pc-linux-gnu-4.8.4 /tmp
    * time emerge -nav app-crypt/gnupg
      \ for future emerge-webrsync -v -k  invocations
      \ now, this only adds this to favs. (maybe I installed it before? or some other packaged pulled it)
      \ also needs --update @world before emerging due to libcrypt version conflicts
    - rc-update add dbus default
      \ no idea if I need this for anything!!
    - where to go from here
      \ portage: https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Portage#Welcome_to_portage
      \ USE flags & others: https://wiki.gentoo.org/wiki/Handbook:AMD64#Working_with_Gentoo
    - (ccache is on hdd; this isn't in effect - ignore it) make sure ccache is either empty or moved to have enough ram and tmpfs space left to continue
      \ df /var/tmp/portage
      \ choose one:
      * to move it
        * time mv -v -n -t / -- /var/tmp/ccache
          \ it already has all the right permissions
          \ 2.6G, 1m59s
        * vim /etc/portage/make.conf
          \ CCACHE_DIR="/ccache"
      * or to delete it
        * CCACHE_DIR="/var/tmp/ccache" ccache -C -z
    * get xorg
      \ https://wiki.gentoo.org/wiki/Xorg/Configuration#Input_driver_support
      \ okfixed: should use --onlydeps on this next emerge since I know the specific package will fail! aka -o
      - (this was for virtualbox!) time emerge -avo x11-drivers/xf86-video-virtualbox
        \ Total: 44 packages (44 new), Size of downloads: 128,330 KiB
        \ //old: 145m50s and failed
        \ 65m45s until fail (gcc 5.2 found need 5.1 at most!) at package x11-drivers/xf86-video-virtualbox-5.0.2 which is kinda odd since i specified -o aka --onlydeps
        \ first, do use ccache for all other packages.
        \ this does fetch all required X packages too
        \ tail -f /var/log/emerge-fetch.log
        \ ^ to see downloads progress which happen all at once at the beginning, while compilation is in progress ie. parallel downloads (forgot which FEATURES flag does this, can probably easily find though) well they are sequential, but in parallel with the compilation i mean.
        \ //failed after 160m30s  with '** gcc version 5.2 found, expected gcc 3.x with x>1 or gcc 4.x with 0<x<10 or gcc 5.1!'  for x11-drivers/xf86-video-virtualbox-5.0.0
        - FIXME: virtualbox-guest-additions(to make copy/pasting to/from guest OS)
          - (only with hardened) temporarily switch gcc to vanilla 4.9.2 (4.8.3 will fail to compile this) [for vboxvideo]
            \ is it because of the undefined symbol vgaHWFreeHWRec ? on startx in /var/log/Xorg.0.log ? yep!! so this is why you need vanilla! - now fixed: https://bugs.gentoo.org/show_bug.cgi?id=546362
            * gcc-config -l
            * gcc-config 10
              \  [10] x86_64-pc-linux-gnu-4.9.2-vanilla *
              \ 10 or 5
            * source /etc/profile
            * ok just temporarily remove -Wstack-protector from /etc/portage/make.conf  CFLAGS var
              \ or else this fail:
              \ /var/tmp/portage/x11-drivers/xf86-video-virtualbox-4.3.26/work/VirtualBox-4.3.26/src/VBox/Runtime/common/checksum/RTSha1Digest.cpp: In function 'int RTSha1DigestFromFile(const char*, char**, PFNRTPROGRESS, void*)':
              \ /var/tmp/portage/x11-drivers/xf86-video-virtualbox-4.3.26/work/VirtualBox-4.3.26/src/VBox/Runtime/common/checksum/RTSha1Digest.cpp:105:15: error: stack protector not protecting local variables: variable length buffer [-Werror=stack-protector]
              \ RTR3DECL(int) RTSha1DigestFromFile(const char *pszFile, char **ppszDigest, PFNRTPROGRESS pfnProgressCallback,
              \               ^
              \ cc1plus: all warnings being treated as errors
              * ie. looks like this now:
                \ CFLAGS="-O2 -pipe -march=native -fstack-protector-all -g3"
          * time FEATURES="-ccache" emerge -av '=x11-drivers/xf86-video-virtualbox-4.3.26'
            \ (apparently virtualbox-guest-additions also includes xf86-video-virtualbox - that is, it selects it, as package, and is first in order! ok this doesn't happen always, seems to not happen when specifying version AND the other package already existed)
            \ to get 4.3.26 (not 4.3.18) because I'm running(still) virtualbox 4.3.26 on my host (and this compilation will happen inside a guest, gentoo)
            \ dispatch-conf
            \ u
            \ duration 7m25s
            \ must not use ccache, or else fails with that PIC error:
            \ "error: code model kernel does not support PIC mode"
            \ //if this fails(with the PIC error), remember PATH points to ccache's gcc, so just source /etc/profile to overwrite; but u already did source it, so this shouldn't happen!!!
            - 4.3.18 fails with something else!!!
              \ /var/tmp/portage/x11-drivers/xf86-video-virtualbox-4.3.18/work/vboxvideo_drm/vboxvideo_drm.c:125:17: error: 'drm_mmap' undeclared here (not in a function)
              \         .mmap = drm_mmap,
          - (only with hardened) put back gcc
            * gcc-config 6
              \ switch back to hardened gcc (6 or 1)
            * source /etc/profile
              \ Note: this overwrites whatever you intended to overwrite with your ~/.bashrc
            * put back the -Wstack-protector in make.conf
              * looks like this now:
                \ CFLAGS="-O2 -pipe -march=native -Wstack-protector -fstack-protector-all -g3"
        - (needs license)get this because mesa complains that it might want it
          * time emerge -nav media-libs/libtxc_dxtn
            \ what? needs license, well, don't install then
            \ "Depending on where you live, you might need a valid license for s3tc
            \ in order to be legally allowed to use the external library.
            \ Redistribution in binary form might also be problematic."
        * recompile kernel with genkernel...
          \ to avoid this error when compiling x11-drivers/xf86-video-virtualbox-5.0.2
          \ cc1: error: cannot load plugin ./tools/gcc/colorize_plugin.so
          \ this was likely because kernel was compiled with gcc 4.8.4 at the installation stage and ofc its built .so files were left there in build dir.
        - NO!! old:need to use vanilla kernel due to 'undefined symbol vgaHWFreeHWRec' later on when startx happens (even tho compilation is successful!)
          \ FIXed: find a way to compile hardened still! fixed: https://bugs.gentoo.org/show_bug.cgi?id=546362  (untested yet)
          * gcc-config -l
          * gcc-config 10
            \ vanilla!
            \ eg.  [10] x86_64-pc-linux-gnu-5.2.0-vanilla *
          * hash -r && env-update && source /etc/profile && source ~/.bash_profile
            \ or just "source /etc/profile" as they say.
        * time CCACHE_DISABLE=1 emerge -nav x11-drivers/xf86-video-virtualbox
          \ XXX: must not use ccache due to that PIC error
          \ FAIL(5.0.2): cc1: error: cannot load plugin ./tools/gcc/colorize_plugin.so
          \ ./tools/gcc/colorize_plugin.so: undefined symbol: _Z18pp_base_set_prefixP17pretty_print_infoPKc
          \ cc1: error: cannot load plugin ./tools/gcc/initify_plugin.so
          \ ./tools/gcc/initify_plugin.so: undefined symbol: _Z24varpool_add_new_variableP9tree_node
          \ scripts/Makefile.build:258: recipe for target '/var/tmp/portage/x11-drivers/xf86-video-virtualbox-5.0.2/work/vboxvideo_drm/vboxvideo_drm.o' failed
          \ old:
          \ (apparently virtualbox-guest-additions also includes xf86-video-virtualbox - that is, it selects it, as package, and is first in order! ok this doesn't happen always, seems to not happen when specifying version AND the other package already existed)
          \ 4.3.26 is nolonger in the list
          \ this (4.3.28) also fails with gcc 5.2.0 as '** gcc version 5.2.0 found, expected gcc 3.x with x>1 or gcc 4.x with 0<x<10!'
          - switch to gcc 4.8.5 (because we don't have 5.1.0, only 5.2.0)
            * gcc-config -l
            * gcc-config 1
            * hash -r && env-update && source /etc/profile && source ~/.bash_profile
            * gcc-config -l
              \ [1] x86_64-pc-linux-gnu-4.8.5 *
          - vim /usr/src/linux/include/linux/string.h +114
            \ edit that string.h file and change 'new' to 'neww' for example.
          - eselect python set 1
            \ select python 2.7 or get some print ""  errors due to using python 3.4
            \ apparently not needed, possibly due to USE_PYTHON=2.7 in make.conf even though eselect python list  is python3.4 *
          - time CCACHE_DISABLE=1 emerge -nav x11-drivers/xf86-video-virtualbox
            \ also works FEATURES=-ccache  but this won't handle the case when ccache's gcc is in PATH (the former definitely does work even if ccache's gcc is in PATH, tested now for kernel)
            \ //old:this now pulls virtualbox 5.0.0 xf86 driver, duration: 12min and fail with cannot find vboxvideo, really! nevermind it worked this time, I was using FEATURES='keepwork keeptemp' and that's why it failed, apparently; since it just worked without them! 8m21s to rerun without them (ccache must've helped)
            \ //fail, 4.8.5 also with 4.9.3 and with 5.1.0 all fail: 
            \ ///usr/src/linux/include/linux/string.h:114:42: error: expected ',' or '...' before 'new'
            \ // char *strreplace(char *s, char old, char new);
            \ XXX: 5.2.0 is not allowed at configure step.
            \ XXX: need ccache disabled due to that PIC error when using hardened gentoo.
            \ fails with 4.8.5 with: /usr/src/linux/include/linux/compiler.h:221:29: error: can't set 'no_instrument_function' attribute after definition
        - switch back to hardened gcc 
          * gcc-config -l
          * gcc-config 6
            \ eg.  [6] x86_64-pc-linux-gnu-5.2.0
          * hash -r && env-update && source /etc/profile && source ~/.bash_profile
        - truth: try; apparently we don't need vboxvideo added to /etc/conf.d/modules because at least when startx happens you can see it being loaded in Xorg.0.log and unloaded afterwards. (not seen in lsmod before/after)
          \ but it says: "to use the kernel drm video driver" ...
      * time emerge -av x11-base/xorg-drivers
        \ XXX: don't use -nav here, use -av because, with -nav it does nothing, except wants to add itself to favs. but with -av  needs to install evdev and keyboard, looks like this:
        \ [ebuild  N     ] x11-drivers/xf86-input-evdev-2.9.2::gentoo  0 KiB
        \ [ebuild  N     ] x11-drivers/xf86-input-keyboard-1.8.1::gentoo  0 KiB
        \ [ebuild   R    ] x11-base/xorg-drivers-1.17::gentoo
        \ you see those two N ? and that R with the -nav prevents those two N from being installed!
        \ //7m19s
      * get sound in X
        \ //ensure USE flag is set: pulseaudio   (it is!)
        \ src: https://wiki.gentoo.org/wiki/PulseAudio
        * time emerge -nav media-sound/pavucontrol media-sound/paprefs
          \ this will add the gnome flag to pulseaudio package! and egl to mesa
          \ //old: Total: 58 packages (57 new, 1 reinstall), Size of downloads: 174,508 KiB
          \ //203m36s
          \ //Total: 56 packages (56 new), Size of downloads: 174,064 KiB
          \ //187m17s real (208m10s user, 137m30s sys)
        * consolekit must not be running (something else is starting it anyway, with the --no-daemon param(see ps axuw|grep cons): /usr/sbin/console-kit-daemon --no-daemon)
          \ //apparently not running anymore (maybe this happened only in hardened? not in hardened at this time)
          \ actually it's running now, on working system, at least after having exited X. But this is necessary for pulseaudio to work, it's just not needed to run on startup. It's running while in X too (confirmed on bare metal now)
        * rc-update del consolekit default
          \ wasn't already there.
        - fixed(somehow!): there's no hardware device (inside virtualbox) with hardened kernel and grsec! - this got fixed, i just don't remember how/what at this time!
      * get xfce4
        \ https://wiki.gentoo.org/wiki/Xfce/HOWTO
        - add more USE flags in /etc/portage/make.conf (already added in first USE)
          \ -minimal dbus jpeg lock session startup-notification -thunar
        - (already rsync'd) add a line in make.conf
          \ XFCE_PLUGINS="brightness clock trash battery power"
          \ current list is here: https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/profiles/desc/xfce_plugins.desc?view=markup
        * time emerge -nav media-libs/netpbm x11-libs/gdk-pixbuf xfce4-meta xfce4-notifyd
          \ //Total: 62 packages (62 new), Size of downloads: 39,040 KiB
          \ //73m52s
          \ //old: 61 packages! 57m21s
          \ XXX: Without explicitly including xfce-extra/xfce4-notifyd in your emerge command, virtual/notification-daemon will draw in GNOME's x11-misc/notification-daemon instead:
          - xfdesktop fails to compile (4.12.1 unstable that is)
            \ 4.12.3 works fine (latest now)
            \ xfdesktop-xfdesktop-icon-view.o: In function `xfdesktop_icon_view_drag_drop':
            \ /var/tmp/portage/xfce-base/xfdesktop-4.12.1/work/xfdesktop-4.12.1/src/xfdesktop-icon-view.c:1617: undefined reference to `xfdesktop_dnd_menu'
            * equery m xfce-base/xfdesktop
              \ see the version prior to that (4.12.1) which is currently 4.12.0 or the stable one 4.10.2 currently.
            * time emerge -nav =xfce-base/xfdesktop-4.12.0
              \ that worked!
            * to avoid updates picking up latest version and failing
              * vim /etc/portage/package.mask/xfdesktop
                \ =xfce-base/xfdesktop-4.12.1
            * time FEATURES="-stricter" emerge -nav xfce4-meta
              \ continue...
          * eselect fontconfig enable 57-dejavu-sans-mono.conf
            \ was just installed but not enabled
            * eselect fontconfig list
        - time emerge -nav x11-misc/pcmanfm (actually we don't want this, xfce's desktop seems better though different! ie. you can't have shortcuts on desktop, only minimized windows showing as icons!)
          \ this wants 1 new USE flag: gtk
          \ Total: 12 packages (12 new), Size of downloads: 7,542 KiB
          \ 16m34s
          - since this updates eudev, do this:  
            \ it doesn't, anymore
            * /etc/init.d/udev --nodeps restart
        * rc-update add dbus default
          \ this is for reboot/shutdown menus in xfce to be enabled
          \ //hmm I already added this somewhere above; actually, now, trying to not add this at all to see if it works anyway (eg. something else will start it, if it needs it) - ok doesn't work without adding it; the reboot/shutdown menus are disabled; but they are enabled if dbus is added to default as such.
        * start dbus? (unsure if needed before running startx because X isn't working for me right now for other reasons)
          * /etc/init.d/dbus start
        * add user zazdxscf to groups
          * for x in cdrom cdrw usb ; do gpasswd -a zazdxscf $x ; done
        * hash -r && env-update && source /etc/profile && source ~/.bash_profile
        * time emerge -nav x11-terms/xfce4-terminal xfce4-volumed-pulse
          \ apparently already installed!
          \ // Total: 5 packages (5 new), Size of downloads: 3,283 KiB
          \ // 10m13s
          \ //18 packages, 28m33s
          * config
            * General
              * Run command as login shell
              * set Scrollback lines to 5242880 (which is max!)
              * untick Scroll on output
              * Dynamically-set title: Replaces initial title
            * Appearance tab
              * Background - Transparent 0.90
              * Font: Monospace 12
              * Allow bold text
        - time FEATURES="-stricter" emerge -nav x11-terms/xfce4-terminal
        - time emerge -nav xfce4-volumed-pulse
          \ volume keys
          \ docs from: https://wiki.gentoo.org/wiki/Xfce
      - (rsynced) echo "exec ck-launch-session dbus-launch --sh-syntax --exit-with-session startxfce4" | tee /home/zazdxscf/.xinitrc
        \ this extra consolekit stuff is for to enable the restart/shutdown buttons
        \ but don't add it to rc; eg. don't do this: rc-update add consolekit default   (something else is already starting it, even when it dies - gets restarted; ps axjf  doesn't show any parents)
        * chown zazdxscf:users /home/zazdxscf/.xinitrc
        - fixed: restart/shutdown don't work, when you startx that is.
          * rc-update add dbus default
            \ now they do, after you reboot that is; but without this, they won't!
      * fix vboxvideo into radeon, for bare metal
        * vim /etc/X11/xorg.conf.d/30_dri.conf
          * change line:
            \ Driver "vboxvideo"
            \ into:
            \ Driver "radeon"
          * change line:
            \ Identifier "Device0"
            \ into:
            \ Identifier "radeon"
      * get into zazdxscf user from within the virtualbox window (not ssh!) and then:
        - echo "exec startxfce4 --with-ck-launch" > ~/.xinitrc
          \ only needed once
          \ --with-ck-launch is for Restart/Shutdown button to appear, instead of being greyed out!
        - echo "exec ck-launch-session dbus-launch --sh-syntax --exit-with-session startxfce4" > ~/.xinitrc
          \ this extra consolekit stuff is for to enable the restart/shutdown buttons
          \ but don't add it to rc; eg. don't do this: rc-update add consolekit default   (something else is already starting it, even when it dies - gets restarted; ps axjf  doesn't show any parents)
        * startx
          \ //currently stuck, mouse is dead, can only kill X; because evdev module is not found! because x11-base/xorg-drivers didn't get reinstalled due to using -n flag to emerge which made 2 other packages not install at all ( evdev and keyboard) so using -av instead of -nav to x11-base/xorg-drivers because of this.
      - (no need, only for zazdxscf is already rsynced) remove leftover from skel, clear command on bash logout (still as user zazdxscf); remove clear because it gives false sense of security (scroll up will still work fine)
        * sudo vim /etc/skel/.bash_logout
          \ yep, we do have sudo rights
        * vim ~/.bash_logout
      * install more stuff (from the ssh, root user! normal user cannot emerge!)
        * time emerge -nav net-misc/ntp
          \ for ntpdate
          \ //10m57s
          * ntpdate -4vs time.nist.gov
            \ this updates time currently (aka manually, any time you want to, independent of ntpd)
            \ XXX: or use updclock script from ~/bin/
          - (let's not run ntpd fulltime here, maybe we can cron it instead) rc-update add ntpd default
            \ undo with: 
            \ rc-update del ntpd default
            \ rc-service ntpd stop
          - (rscyned) vim /etc/ntp.conf
            \ server 127.127.1.0
            \ fudge  127.127.1.0 stratum 10
            \
            \ #This sets localhost as a server with low priority, so that the daemon starts properly even without network connection and switches to using network servers when connection is established.
            \src: https://wiki.gentoo.org/wiki/Ntp
            - (already set)access to NTP service allowed only from localhost
              \ restrict default nomodify nopeer noquery limited kod
              \ restrict 127.0.0.1
            * denying access to NTP's monlist functionality, used for querying traffic stats but also exploited in a denial-of-service attack.
              \ disable monitor
          * set these in kernel to avoid having to use hwclock service (see: https://wiki.gentoo.org/wiki/Ntp )
            \ note: these were already set (in non rsynced .config !)
            \ Device Drivers  --->
            \  [*] Real Time Clock  ---> CONFIG_RTC_CLASS
            \      [*]   Set system time from RTC on startup and resume  (this wasn't set in rsynced .config!) CONFIG_RTC_HCTOSYS
            \      [*]   Set the RTC time based on NTP synchronization - CONFIG_RTC_SYSTOHC
        * time DEBUG= FEATURES="-stricter" emerge -nav xfce4-battery-plugin xfce4-sensors-plugin xfce4-mixer xfce4-taskmanager xfwm4-themes orage mousepad xfce4-power-manager
          \ Total: 28 packages (24 new, 4 in new slots), Size of downloads: 19,309 KiB
          \ 57m11s
          \ //Total: 26 packages (25 new, 1 in new slot), Size of downloads: 19,058 KiB
          \ //22m39s until first fail; + 16m31s after that
          \ //35 packages, and 1 USE change needed, duration: 39m23s
          \ DONE: xfce-extra/xfce4-power-manager-1.3.0 needs kernel option CONFIG_TIMER_STATS to be set: *   CONFIG_TIMER_STATS:  is not set when it should be.
          \ XXX: libunique fails due to env var being set DEBUG=1  (TODO: report this on bugs)
        * vim /etc/portage/package.use/firefox
          \ www-client/firefox -gmp-autoupdate gstreamer pulseaudio system-jpeg system-icu -system-cairo system-libvpx system-sqlite -wifi
          \ never use system-cairo , reason: https://bugzilla.mozilla.org/show_bug.cgi?id=1200934#c5  and I kinda agree with him.
          \ changed to minus system-cairo to avoid this bug that causes youtube videos to freeze with firefox 40.0.2 (not with 39.0.3) https://bugs.gentoo.org/show_bug.cgi?id=558150#c23  also see https://bugzilla.mozilla.org/show_bug.cgi?id=1193520 which is the same thing, supposedly!
        * first, you must move /var/tmp/ccache into root dir (aka /  not /root )
          * and either:
            * symlink it - or u'll run out of memory! and some random compile errors would happen
            * or just temporarily modify that CCACHE_DIR in make.conf TODO:
              * vim /etc/portage/make.conf
                \ CCACHE_DIR="/ccache"
        * hash -r && env-update && source /etc/profile ; source ~/.bashrc
          \ just did this for good measure
        * time FEATURES="-stricter" emerge -nav firefox
          \ Total: 5 packages (4 new, 1 in new slot), Size of downloads: 167616 KiB
          \ dur: 10m42s until collision due to rsync-ed config files: /etc/env.d/90nss-amd64  removed that, rerunning  (that file has same contents!)
          \ Total: 4 packages (3 new, 1 in new slot), Size of downloads: 0 KiB
          \ dur: 
          \ //old vbox: 229m30s (with lots of other background stuff going, like other compilations/youtube)
          \ old:
          \ still needs 4 other USE changes, for 4 other packages!
          \ >=dev-lang/python-2.7.10:2.7 sqlite
          \ >=dev-db/sqlite-3.8.10.2 secure-delete
          \ >=media-libs/libpng-1.6.17 apng
          \ >=media-libs/libvpx-1.4.0 postproc
          \ TODO: add those from the beginning of installation!
          \ //Total: 14 packages (8 new, 3 in new slots, 3 reinstalls), Size of downloads: 216,883 KiB
          \ //duration: 130m33s
          \ //duration: failed after 145m23s due to no space left(in tmpfs aka 90% of 8g ram), likely because 540MB was left in /var/tmp/portage/x11-drivers/xf86-video-virtualbox-4.3.18 (even tho i've installed 4.3.26 last! the failed one i forgot to delete!)
          \ //and kernel crashed with NULL pointer dereference!
          * remember to install https://github.com/futpib/policeman instead of requestpolicy  and also install uBlock (or adblock plus?)  AND noscript! (yes)
        - (rsynced) enable compositing for xfwm4
          * mkdir -p /etc/X11/xorg.conf.d/
          * vim /etc/X11/xorg.conf.d/25composite.conf (new file)
            \ Section "Extensions"
            \    Option  "Composite"  "Enable"
            \ EndSection
        * time FEATURES="-stricter" emerge --verbose --tree --update --deep --with-bdeps=y --changed-use --ask @world
          \ update everything, if needed, based on what USE flags changed too.
          \ does nothing currently!
          \ actually, we got 1 package due to egl USE flag; shouldn't happen again because I put it in make.conf so any new full installations will see this command do nothing; duration 20m13s (it was qtgui)
        * time emerge -nav xfce4-screenshooter
          \ for screenshots; basically not needed for virtualbox guest OS, because I could use virtualbox screenshot feature or the xfce4-screenshooter on host (unless virtualbox window doesn't fix on host's screen, in the latter case)
          \ 9m40s
        - time FEATURES="-stricter" emerge --verbose --tree --update --deep --with-bdeps=y --changed-use --ask @world
          \ update everything, if needed, based on what USE flags changed too.
          \ should do nothing, currently
        * get chromium (warning: needs 25G space!)
          - (rscyned) chromium needs kernel options(or else sandbox won't work they say):
            \ CONFIG_USER_NS which recommends CONFIG_MEMCG and CONFIG_MEMCG_KMEM
            \ also SECCOMP_FILTER which I already did (rscyned)
            \ recompile kernel... and then recompile chromium
          \ XXX: requirements: at least 3 GiB RAM + least 25 GiB disk space at "/var/tmp/portage/www-client/chromium-45.0.2454.15/temp"
          \ wants 3 USE changes
          \ then 33 packages... duration: 175m55s or 19m2s to reemerge with ccache, to show the same error
          \ !! failed due to killed ld... because of -g3 which they say consumes large amounts of memory!
          \ yeah ccache is at 32GB after this stunt!, df was at 4GB now at 26GB (due to that btrfs compression!)
          \ recompilation after the below changes (CXXFLAGS mostly) took 129m46s
          * vim /etc/portage/package.env
            \ www-client/chromium chromium.conf
          * vim /etc/portage/env/chromium.conf
            \ USE="-bindist"
            \ ^ to allow that H.264 video, or else: * bindist enabled: H.264 video support will be disabled.
            \ #//CFLAGS="-O2 -pipe -march=native -Wstack-protector -fstack-protector-all"
            \ #//CXXFLAGS="$CFLAGS"
            \ ^ that doesn't have the -g3 one!
            \ ommiting these 2 for now, using make.conf ones!
          * to get 25G in /vat/tmp/portage we must unmount it(it's tmpfs remember?) so it hits the disk instead!
            * umount /var/tmp/portage
            * umount /var/tmp/
              \ yep, hits this one too!
          * time DEBUG= emerge -nav gsm
            \ this one fails when DEBUG=1 is set in environment (and it is for me in ~/.bashrc )
            \ error is:
            \ x86_64-pc-linux-gnu-gcc: error: 1: No such file or directory
            \
            \ Then another one with hardened compiler(not with vanilla though!) we get this error:
            \ /usr/lib/gcc/x86_64-pc-linux-gnu/5.2.0/../../../../x86_64-pc-linux-gnu/bin/ld: ./src/toast.o: relocation R_X86_64_32 against `f_fast' can not be used when making a shared object; recompile with -fPIC
            \ ./src/toast.o: error adding symbols: Bad value
            \ collect2: error: ld returned 1 exit status
            \ Makefile:339: recipe for target 'bin/toast' failed
            \ make: *** [bin/toast] Error 1
            \ rsynced patch, tested to work.
          * equery m chromium
            \ see what's latest
          * time emerge -nav chromium
            \ see that this selected latest! ~amd64  because it doesn't usually, unless there's some package.unmask or something! even tho I've ACCEPT_KEYWORDS=~amd64 in make.conf for example it installed 45 (amd64) instead of 47 (~amd64)
            \ 647m13s real, 1900m2s user, 292m22s sys. (in virtualbox! with sometimes youtube videos playing in another vbox aka less cpu available) 16G space consumed in /var/tmp/portage/www-client/chromium-45.0.2454.46/  this is with -ggdb btw!  also failed at ld stage(last part) due to out of memory! killed:) need more ram than 10G or maybe need swap(also) dayum that recompile worked with 10827MB RAM(instead of 10240MB which was previously! amazing! because that was max it would let me alloc.!) also recompile (ebuild install phase) took 28min
          * need more fonts, possibly, for pages to display properly
            * time emerge -nav media-fonts/arphicfonts media-fonts/bitstream-cyberbit media-fonts/droid media-fonts/ipamonafont media-fonts/ja-ipafonts media-fonts/takao-fonts media-fonts/wqy-microhei media-fonts/wqy-zenhei 
              \ avoiding new license requirements: BitstreamCyberbit grass-ipafonts  from  media-fonts/bitstream-cyberbit-2.0 resp. media-fonts/ipamonafont-1.0.8
              \ duration(in vbox): 
            * add emoji fonts too!
              * time emerge -nav media-fonts/symbola
                \ 8m28s
                \ to test:
                \ http://www.fileformat.info/info/emoji/browsertest.htm
                \ http://www.fileformat.info/info/unicode/char/1f4a9/browsertest.htm
                \ http://fsymbols.com/emoji-bookmarklet/
              - (apparently not needed!) probably need some fontconfig to enable
                \ eselect fontconfig list
        * make sensors temp show up in sensors in xfce (untested here in virtualbox) NOT for in-virtualbox! this is for bare metal only!
          \ src: https://wiki.gentoo.org/wiki/Lm_sensors
          * put this new USE flag:
            \ lm_sensors
          * recompile all: time FEATURES="-stricter" emerge --verbose --tree --update --deep --with-bdeps=y --changed-use --ask @world 
            \ 2 packages: 2m53.130s
          * /usr/sbin/sensors-detect
            \ XXX: this apparently needs cpuid module (kernel!) which I planned on disabling it since I don't need it in amdmsrtweaker-lnx !
            \ paste: YES  to every question, it worked fine, no lockups! (press Enter, works too) - no sensors detected in virtualbox!
            \ /etc/conf.d/lm_sensors contains this(without comments):
            \ LOADMODULES=yes
            \ INITSENSORS=yes
            \ HWMON_MODULES="it87"
            \ ^ the above is for my former desktop PC!
            \ Driver `k10temp' (built-in):
            \  * Chip `AMD Family 12h and 14h thermal sensors' (confidence: 9)
            \ ^ that's for Z575
          * rc-update add lm_sensors default
          * now add the sensors xfce4-panel plugin to the panel...
            \ if xfce4-sensors-plugin was already running and had these seonsors selected then, you have to deselect them then restart panel (xfce4-panel -r) and then select them again(as they are no refreshed with the right names, before selecting them; they won't be refreshed if they're still selected!)
        - auto login with xdm and slim (untested here in virtualbox)
          \ NOTE: there's another type of autologin with aggetty (inittab) and .bash_profile - this is commented out but there. (don't use this xdm thing!)
          \ XXX: WORKS but Restart/Shutdown buttons are greyed out!! however, with just login from agetty and startx, they show up ok(after adding the right param to startxfce4  this one: --with-ck-launch )
          \ also don't like that X is started as root!!
          \ src: https://wiki.gentoo.org/wiki/SLiM
          * time emerge -nav x11-apps/xdm
            \ in virtualbox: 4 packages 4m19s
          * rc-update add xdm default
            \ to later remove it from autostart:
            \ rc-update del xdm default
          * time emerge -nav x11-misc/slim
            \ 57s (with chromium in parallel)
            \ in virtualbox: 1m23s
            * vim /etc/conf.d/xdm
              \ DISPLAYMANAGER="slim"
          * vim /etc/slim.conf
            * find the uncommented login_cmd line
              \ replace it with:
              \ login_cmd           exec /bin/bash -login ~/.xinitrc %session
              \ ie. uncomment the above
            * autologin, add these lines:
              \ default_user        zazdxscf
              \ focus_password      yes
              \ auto_login          yes
          * start it now? (should reboot instead, to be sure it works rightly)
            \ /etc/init.d/xdm start
        * rc-update del xdm default
        - (we don't use this anymore)set pcmanfm as desktop TODO: (untested here in virtualbox)
          \ currently xfdesktop is on, and apparently sux!
          \FIXME: I actually put a delay here(on desktopPC) after which a kill pcmanfm will happen and then starting it up again, or else it will offset the desktop position sometimes(at startup) due to some bug!
          * Applications Menu (aka start menu) -> Settings -> Sessions and startup -> Application Autostart(tab)
            \ Add, name it desktop, in Command put: pcmanfm --desktop
            \ Logout and startx to see the change!
          * remove xfdesktop from being autostarted!
            \ this gets unconditionally run by /etc/xdg/xfce4/xinitrc  as line: xfdesktop&
            \ clearly we cannot remove the package owning that! aka xfce-base/xfce4-session-4.10.1-r2  because it has xfce4  xfconf and startxfce4 and etc.
            * add Application Autostart(just like pcmanfm --desktop was added above
              \ Name: kill xfdesktop
              \ Command: pkill xfdesktop
              \ seems to work fine!
        * get whisker menu (untested here in virtualbox)
          * time emerge -nav xfce-extra/xfce4-whiskermenu-plugin
            \ on virtualbox: 1m8s (with firefox/youtube on background)
            \ on real: 1m31s
          * add it to panel via rightclick->Panel->Add New Items->Whisker Menu
            \ then move with with Rightclick on it -> Move
        * get weather plugin (untested here in virtualbox)
          * time emerge -nav xfce-extra/xfce4-weather-plugin
            \ on virtualbox: 1m38s
            \ on desktop: 26s
          * add it to panel...
        * get net speed plugin
          * time emerge -nav xfce-extra/xfce4-netspeed-plugin
            \ on virtualbox: 3m1s
            \ on desktop: 52s
          * add it to panel...
        * add already existing orage(plugin) to Panel just like you did the above ones! (untested here in virtualbox)
          * remove the old clock which has no other features on click
          * set Line 1, to:
            \ %H:%M:%S
            \ otherwise you see AM/PM
        - vnc, choose one(or whatever): (untested here in virtualbox)
          \ but won't be available in xdm/slim start(login) screen!!
          * get vnc (x11vnc)
            * time emerge -nav x11-misc/x11vnc
              \ in virtualbox: 2m18s
              \ on desktop: 47s
            * to start it in current X to share its desktop
              \ run: x11vnc
              \ this is the better command:
              * x11vnc -localhost -no6 -noipv6 -nap -ping 5
            - to start it with the xfce session
              * go to Session and Startup -> Application Autostart
                * make new: Add
                  \ Name: vnc server
                  \ Command: the one I used above
            - not really: it's necessary to make a desktop icon to start it, because it will crash with stack smashing at some point!!
              - so do it.
              * XXX: actually I can start it from ssh, i just have to be logged in as the same user! or su
            * connect through ssh
              * ssh -p 8822 -L 55900:localhost:5900 127.0.0.20
                \ this is ssh forwarding
                \ ssh to port 8822 to remote 127.0.0.20
                \ and keep port 55900 open on localhost(aka 127.0.0.1)
                \ and whoever connects to this localhost:55900 will be forwarded through ssh(tunnel) to remote's port 5900(seen on remote as locally(on remote) connecting 127.0.0.1(of remote) to its(remote's) port 5900)
                \ so you vnc to localhost:55900
                * vncviewer 127.0.0.1:55900
                  \ and this goes through ssh so it's protected!
          - get vnc (vino)
            \ works well with current X display!!! (not starting a new hidden one!) but uses x11vnc with a bugged TLS wrapper which has to be disabled anyway, so use x11vnc instead!(through ssh tunneling = perfect)
            * time emerge -nav vino
              \ 10 packages
              \ on virtualbox: 19m7s
            * within X, start it to serve:
              * /usr/libexec/vino-server
            * see vino's settings:
              * gsettings list-recursively org.gnome.Vino
            * some bug that I cannot connect with vncviewer(realvnc and tightvnc)
              \ src: http://unix.stackexchange.com/questions/77885/how-can-i-connect-to-gnome-3-with-a-windows-vnc-client
              * gsettings set org.gnome.Vino require-encryption false
                \ that disabled encryption
                \ now realvnc's vncviewer will work, and also tightvnc's vncviewer will work too!(tested)
            * remove it?
              * time emerge -av --depclean vino
              * time emerge @preserved-rebuild
                \ nothing? ok
          - get VNC aka tightvnc (and make it work through ssh because it's otherwise plaintext)
            \ src: https://wiki.gentoo.org/wiki/TightVNC
            \ so the problem with this one is that it doesn't connect to EXISTING X, but rather starts a new one.
            * vim /etc/portage/package.use/tightvnc
              \ net-misc/tightvnc server
            * time emerge -nav net-misc/tightvnc
              \ 4m45s
              \ 10m53s in virtualbox
            * su - zazdxscf
              * vncpasswd
                \ don't set a view-only password, when asked
            * vim /etc/conf.d/vnc
              \ DISPLAYS="root:0 a:0 a:1"
            * rc-update add vnc default
            * vncserver "$DISPLAY" -interface lo -localhost -nevershared -economictranslate -deferupdate 100 -httpport 20000 -depth 32 -geometry 800x600
            * fail badly
              \ missing fonts...
        * to get Shutdown/Restart buttons in xfce4 (untested here in virtualbox)
          \ src: https://forums.gentoo.org/viewtopic-p-7506664.html?sid=3fc45a9a656fdef391dba30b6a269398#7506664
          * vim /home/zazdxscf/.xinitrc
            \ this is the line:
            \ exec startxfce4 --with-ck-launch
            \ ok this works if using startx after login from console! but not from when xdm/slim does it(startx) for me!
            \ and also I had the polkit script 10-admin.rules  (see below!)
            \ currently using this line instead:
            \ exec ck-launch-session dbus-launch --sh-syntax --exit-with-session startxfce4  
            \
          - rc-update add consolekit default
            \ not needed! should not be in any runlevel!
          - (rsynced) ok it would've worked, probably, if I had consolekit in my USE flags!! it's -consolekit by default!
            \ src: https://wiki.gentoo.org/wiki/ConsoleKit
            * vim /etc/portage/make.conf
              \ add   consolekit policykit  to USE flags!!
            * time FEATURES="-stricter" emerge --verbose --tree --update --deep --with-bdeps=y --changed-use --ask @world   
              \ 5 packages, though 7 are shown
            - rc-update add consolekit default
              \ it was already, but to be sure!
              \ not needed!! 
            * rc-update del consolekit default
              \ it's not in any runlevels and still works and is started soooo... remove it from default!
            * vim /etc/polkit-1/rules.d/10-admin.rules
              \ XXX: the buttons do appear without this, but restarting won't work - has no effect and you can see the error after X exits.
              \ src: https://wiki.gentoo.org/wiki/Polkit
              \ just this will do because my user is already in wheel group (for sudo)
              \ polkit.addAdminRule(function(action, subject) {
              \   return ["unix-group:wheel"];
              \ });
              * or use this if not in wheel group(but notice the username!! and change it accordingly):
                \ polkit.addRule(function(action, subject) {
                \    if ( ((action.id == "org.freedesktop.udisks2.filesystem-mount") ||
                \         (action.id == "org.freedesktop.consolekit.system.restart") ||
                \         (action.id == "org.freedesktop.consolekit.system.shutdown") ) &&
                \        subject.user == "zazdxscf") {
                \        return "yes";
                \    }
                \});
            * still nothing: restart/shutdown buttons are greyed out!!
              * just add dbus to default (already done)
        * setup ssh correctly (tested in virtualbox too)
          - vim /etc/conf.d/sshd
            \ the default one is at: /etc/ssh/sshd_config  (well, depends on SSHD_CONFDIR setting in /etc/conf.d/sshd )
          * vim /etc/ssh/sshd_config
            \ man sshd_config
            \ start uncommenting and changing stuff as follows:
            * change Port
              \ Port 22
              \ AddressFamily inet
              \ ListenAddress 0.0.0.0
            * and the rest:
              \ Protocol 2
              \ HostKey /etc/ssh/ssh_host_ed25519_key
              - run this: /usr/bin/ssh-keygen -t ed25519 -a 120 -f /etc/ssh/ssh_host_ed25519_key -b 512
                \ don't put any passphrase
                \ 399 bytes, already existed, so don't regen!
                \ XXX: "Ed25519 keys have a fixed length and the -b flag will be ignored." from man ssh-keygen
              \ LogLevel VERBOSE
              \ LoginGraceTime 30s
              \ PermitRootLogin yes
              \ StrictModes yes
              \ MaxAuthTries 1
              \ MaxSessions 10
              \ RSAAuthentication no
              \ PubkeyAuthentication yes
              \ AuthorizedKeysFile      .ssh/authorized_key
              \ RhostsRSAAuthentication no
              \ HostbasedAuthentication no
              \ IgnoreUserKnownHosts yes
              \ IgnoreRhosts yes
              \ PasswordAuthentication no
              \ PermitEmptyPasswords no
              \ ChallengeResponseAuthentication no
              \ #^ yes = enables TIS Challenge/Response in SSH protocol version 1, and keyboard-interactive in SSH protocol v2
              \ UsePAM no
              \ #^ PAM not used if public key authentication is used! src: https://dev.gentoo.org/~swift/docs/security_benchmarks/openssh.html#item-xccdf_org.gentoo.dev.swift_group_config-default
              \ AllowAgentForwarding no
              \ AllowTcpForwarding yes
              \ GatewayPorts no
              \ X11Forwarding no
              \ PermitTTY yes
              \ PrintMotd no
              \ PrintLastLog yes
              \ TCPKeepAlive yes
              \ UseLogin no
              \ UsePrivilegeSeparation sandbox
              \ PermitUserEnvironment no
              \ Compression delayed
              \ ClientAliveInterval 30
              \ ClientAliveCountMax 5
              \ UseDNS no
              \ PermitTunnel point-to-point
              \ NoneEnabled no
              \ AcceptEnv LANG LC_*
              \ Ciphers aes256-ctr
              \ # Set this to the unix group whose members are allowed access
              \ #AllowGroup ssh
              \ AllowUsers root zazdxscf emacs
              \ DenyUsers portage a
              \ MACs hmac-sha2-512-etm@openssh.com
              \ KexAlgorithms curve25519-sha256@libssh.org
              \ AuthenticationMethods publickey
              \ #ListenAddress 192.168.100.121
              * there's a line
                \ Subsystem sftp  /usr/lib64/misc/sftp-server
                \ but I commented it out!
            * put your key there:
              * # mkdir ~/.ssh
              * from host:
                * scp -P 8822 -4vp ~/.ssh/id_ed25519.pub root@127.0.0.111:/root/.ssh/authorized_key
                  \ this copies your ssh public key into virtualbox as authorized key! so you can now ssh into the virtualbox w/o a password
              * # ls -la ~/.ssh
                \ -r--r--r-- 1 root root  93 Feb 21 18:49 authorized_key
              * # chmod go-rwx ~/.ssh/authorized_key
              * # ls -la ~/.ssh
                \ -r-------- 1 root root  93 Feb 21 18:49 authorized_key
            * /etc/init.d/sshd restart
          * verify that root and zazdxscf can connect
            \ done; btw, you have to put the same key inside /home/zazdxscf/.ssh/
        * (already in effect!)fixed: how to make startx not hang on `hostname -f` which it does, when internet isn't available but network is up!
          * make hostname -f  NOT DNS lookup upstream ...
            \ WOW I mean, WOW! lacking a ::1 (aka ipv6) entry in /etc/hosts will cause hostname -f to DNS lookup (AAAA? hostnamehere) that upstream!!! fml!! because USE=-ipv6
            \ in fact lacking either ipv4 or ipv6 in /etc/hosts for your hostname will cause a DNS query out.
            \ btw to test this, disconnect your LAN cable, make sure the interface is still UP (not NetworkManager making it down) and this way `hostname -f` will hang.
            * vim /etc/hosts
              \ 127.0.0.1 localhost tux
              \ ::1 localhost tux
              \ #^ those must exist! to avoid DNS queries
        * get layman for overlay management
          \ https://wiki.gentoo.org/wiki/Layman
          \ https://wiki.gentoo.org/wiki/Layman#Using_.27repos.conf.27_method_.28default_method_for_app-portage.2Flayman-2.1.0_or_later_.29
          * time emerge -nav '>=app-portage/layman-2.3.0'
            \ duration: 1m11.272s
            \ //adds 2 unstable flags
            \ //use dispatch-conf, u
            \ believe me, you don't want the stable layman! it makes you do something to make.conf the first time!
          * vim /etc/layman/layman.cfg
            * search for and set new value:
              \ auto_sync : no
              \ nocheck  : no
          * layman-updater --rebuild
            \ only (unstable) 2.3.0 (well not 2.0.0 stable) has this --rebuild option!
            \ not needed at this time but it regens /etc/portage/repos.conf/layman.conf  which is currnetly an empty file (after the above emerge and even after running this layman-updater -R command, because emerge did that too)
        * now that you have layman, get uTox
          * mask all packages in the overlay
            * mkdir /etc/portage/packages.mask/
            * vim /etc/portage/packages.mask/tox
              \ new file, contents:
              \ */*::tox-overlay
          * refresh layman's db
            * layman --fetch
          * add utox overlay
            * layman -a tox-overlay
              \ unofficial blah blah
            * time emerge --regen --jobs=4
              \ for caching the overlay too (i think?)
              \ dur: 0m50.891s
          - set some flags to workaround things in utox
            \ nevermind already -filter_audio in global USE flags
            - vim /etc/portage/package.env 
              \ append this line:
              \ net-im/utox tox.conf
            - vim /etc/portage/env/tox.conf
              \ #CFLAGS="$CFLAGS -g3 -O1 -DDEBUG"
              \ #CPPLAGS="$CPPLAGS -g3 -O1 -DDEBUG"
              \ #CXXLAGS="$CXXLAGS -g3 -O1 -DDEBUG"
            * 
          * time emerge -av utox
            \ this adds 2 keyword changes for 9999 aka git
            \ dispatch-conf, u
            \ rerun above emerge command
            \ //duration, desktop: 3m34s 
            \ laptop: Total: 6 packages (6 new), Size of downloads: 3977 KiB
            \ duration, laptop: 8min until needed inet access, rerunning
            \ extra dur. for tox and utox -9999 packages: 3m26.609s
            \ //utox is fixed at commit: bdd1a009518e325a73a527da152793102b765ef6  currently! so beware when using git version to communicate between two! (different versions will fail)
            \ //this is on par with tox-git commit 4ad76497881ee2a623acdedcf0ac10406208b716
            \ utox is at: e39ce15ec6f444d4e2452ea501a1a06f1014175b
            \ tox is at : 6120b0e0bb865ab196cdf717a4829a3f83ef1e7b
          * get in X and test if it works!
        * get pdf viewer 
          * time emerge -nav evince
            \ //Total: 20 packages (19 new, 1 in new slot), Size of downloads: 54,449 KiB
            \ //duration: 60m15s
        * get lsusb
          * time emerge -nav sys-apps/usbutils
            \ //1m31s
        * get vlc
          \ already did this above, 16mins
          * make sure qt4 USE flag is set somehow before emerging!! done, set globally!
        - jdk6
          * vim /etc/portage/package.use/jdk6
            \ dev-java/icedtea-bin -cups
          * mask jdk7
            \ or else it will ask you to add ~amd64 on a later --update @world
            * vim /etc/portage/package.mask/java
              \ >=virtual/jdk-1.7.0
              \ >=virtual/jre-1.7.0
          * time emerge -nav '>=virtual/jdk-1.6.0'
            \ duration: 1m49s
          * java-config --list-available-vms
            \ *)  IcedTea JDK 6.1.13.5 [icedtea-bin-6]
        * fail2ban
          * TODO: ensure kernel has the iptables modules! like filter and stuff...
          * time emerge -nav net-analyzer/fail2ban
            \ //vbox: 1m32s
            \ //desktop: 52s
          * time emerge -nav app-admin/gamin
            \ //vbox: 4m4s
            \ //desktop: 
          * vim /etc/fail2ban/jail.d/sshd.conf
            \ [ssh-iptables]
            \ enabled  = true
            \ filter = sshd
            \ action = iptables[name=SSH, port=ssh, protocol=tcp]
            \ logpath = /var/log/sshd/current
            \ maxretry = 5 
          * rc-service fail2ban start
          * rc-update add fail2ban default
          * see status
            * fail2ban-client status
            * fail2ban-client status ssh-iptables
          * to unban IP
            \ note: when banned, every active and future connections are blocked! (eg. existing ssh sessions are hung waiting for the unban)
            * to see the IP, do either one:
              * fail2ban-client status ssh-iptables
              * iptables -v -L
            * to unban that IP
              * fail2ban-client set ssh-iptables unbanip 10.0.2.2
                \ jailname is ssh-iptables
        * to can open archives like .zip
          * time emerge -nav xarchiver
            \ dispatch-conf, u
            \ //duration: 2m0s
          * time emerge -nav app-arch/unzip app-arch/zip app-arch/p7zip
            \ don't really need these; zip's already in!
            \ 6m41s
            \ avoiding  app-arch/unrar and app-arch/rar  due to different licenses
        * images viewer
          * time emerge -nav xdg-utils
            \ to get xdg-open which mc uses to for example invoke viewnior when you press enter on a .png or .jpg
            \ also to get ability for programs to install their mime-type files which registers their extensions! FIXME: TODO: move this to top so it's available early! but unsure if this is the one doing this, maybe via xdg-mime
            \ tested to work while previously(without it) didn't.
            \ 7 packages, 3m19s
            - (nope it's already set!) Still have to set .png and .jpg in mime-editor because default is unset! to run viewnior that is
              * xfce4-mime-settings
                \ search for png, then jpeg
                \ select viewnior for each! (becomes User-set, not the empty Default)
                \ XXX: hmm, already set after installing viewnior-1.4 now, because:
                \ * Updating desktop mime database ...
                \ unusual because this didn't happen on previous install(in gentoo normal, non-hardened) but to note that for some reason xdg-utils was already installed before emerging viewnior now. - moving viewnior after it.
          * time emerge -nav viewnior
            \ duration: 4m30s
        * time emerge -nav pwgen
          \ less than 1 min
        * time emerge -nav vbindiff
          \ 35s
        * time emerge -nav app-admin/keepassx
          \ 11m37s
        * time emerge -nav net-analyzer/tcpdump
          \ //3m54s
          \ Total: 3 packages (3 new), Size of downloads: 2185 KiB
          \ dur: 3m44.945s
        * time emerge -nav =ffmpeg-9999
          \ getting git version of ffmpeg(previously 2.7.2 which was crashing firefox 39.0.0) - git version is also crashing but not with 40.0.2 firefox.
          \ 16m51s
        * time emerge -nav x11-apps/xev
          \ //1m29s
          \ 0m52.870s
        * time emerge -nav media-gfx/gimp
          \ //39m55s (with firefox/youtube on background)
    * ln -snf /proc/self/mounts /etc/mtab
      \ else you get a warning on every boot about it, that's deprecated to update /etc/mtab, so this is the way to "fix" it.
      \ should be in rsync by now
    * colordiff
      \ time emerge -avn app-misc/colordiff
    * time emerge -nav app-portage/mirrorselect
      \ Total: 19 packages (19 new), Size of downloads: 3,251 KiB
      \ 16m52s (in parallel with chromium compile)
      \ //20 packages, 11m5s
      \ not getting this on bare metal; dang it, already have it from the customiso!
    - time emerge -nav media-gfx/zgv
      \ for when pressing enter on .png and .jpg files inside mc
      \ XXX: errors in media-libs/svgalib-1.9.25-r4
    - virtualbox-guest-additions (for eg. copy/paste to work between host and guest)
      * time emerge -navo '>=virtualbox-guest-additions-5.0.2'
        \ install everything else, eg. deps!
      * time CCACHE_DISABLE=1 emerge -nav '>=virtualbox-guest-additions-5.0.2'
        \ ccache does this "error: code model kernel does not support PIC mode"
        \ 7m51s
      * add user to vboxguest group
        \ gpasswd -a zazdxscf vboxguest
        \ needs relogin to have effect!
      * make sure we're already using mesa lib
        \ usually already selected, and the only one in list
        * eselect opengl list
          \ [1] xorg-x11 *
          * if not do: eselect opengl set xorg-x11
      - (rsynced) vim /etc/X11/xorg.conf.d/30_dri.conf
        \ ensure this is uncommented (although probably unneeded because it picked it up before anyway)
        \ Driver "vboxvideo"
        \ NOTE: this file doesn't exist!! I don't know which package added it! I think I created this manually!
        \ Section "Device"
        \  Identifier "Device0"
        \  Driver "vboxvideo"
        \ #  BusID "PCI:0:1:0"
        \  Option "DRI" "true"
        \  Option "AccelMethod" "EXA"
        \ EndSection
        \
        \
        \ Section "DRI"
        \  Group "video"
        \  Mode 0666
        \ EndSection
      * gpasswd -a zazdxscf vboxsf
        \ needs relogin to have effect!
        * NOTE: to mount shared folders within virtualbox do: mount -t vboxsf sharedfoldername mountpoint
          \ and you have to be in vboxsf group to be able to access them! or else only root can!  
      * rc-update add virtualbox-guest-additions default
      * rc-service virtualbox-guest-additions start
        \ so, naturally a reboot will start that, if you don't issue this command!
        \ if you don't do this now, you get "VBoxClient: the VirtualBox kernel service is not running. Exiting." as a systray tooltip right after you startx. (you also get this under hardened gentoo with grsec enabled in kernel - it might be because polkitd segfaults? but dbus doesn't go down with it) see: https://bugs.gentoo.org/show_bug.cgi?id=472098#c31 It's not because polkitd segfaults because that's fixed now: https://bugs.gentoo.org/show_bug.cgi?id=559436
        \ it's because /proc/modules cannot be accessed by normal user!
        \ ^ [  146.859209] grsec: exec of /usr/bin/VBoxClient-all (VBoxClient-all ) by /usr/bin/VBoxClient-all[xfce4-session:9826] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/xfce4-session[xfce4-session:9798] uid/euid:1000/1000 gid/egid:1000/1000
        \ [  147.157551] grsec: exec of /bin/rm (rm -f /home/zazdxscf/.vboxclient-*.pid ) by /bin/rm[VBoxClient-all:9827] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/VBoxClient-all[VBoxClient-all:9826] uid/euid:1000/1000 gid/egid:1000/1000
        \ [  147.176473] grsec: exec of /bin/grep (grep -q vboxguest /proc/modules ) by /bin/grep[VBoxClient-all:9828] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/VBoxClient-all[VBoxClient-all:9826] uid/euid:1000/1000 gid/egid:1000/1000
        \ [  147.268116] grsec: exec of /usr/bin/libnotify-notify-send (notify-send VBoxClient: the VirtualBox kernel service is not running.  Exiting. ) by /usr/bin/libnotify-notify-send[VBoxClient-all:9829] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/VBoxClient-all[VBoxClient-all:9826] uid/euid:1000/1000 gid/egid:1000/1000
        \ looks like VBoxClient-all (when startx, as user zazdxscf) doesn't have access to /proc/modules and thus thinks that the module is not loaded!
        \ grep: /proc/modules: Permission denied
        \ this is because of CONFIG_GRKERNSEC_PROC
    * (doesn't apply to bare metal) recompile mesa
      * grep swrast /var/log/Xorg.0.log
        \ see if you have the error
        * if you have it, then re-emerge
          \ to get rid of this error from /var/log/Xorg.0.log
          \ [  8759.324] (EE) AIGLX error: dlopen of /usr/lib64/dri/swrast_dri.so failed (/usr/lib64/dri/swrast_dri.so: undefined symbol: _ZN4llvm19RTDyldMemoryManager25getSymbolAddressInProcessERKSs) 
          \ this probably happened because mesa was compiled with gcc 4.8.4 and whever else followed(eg. Xorg) was compiled with gcc 5.2.0; i even checked the .so data eas 7 hours earlier than my emerging gcc 5.2.0 command.
          * time emerge -av media-libs/mesa
            \ duration(vbox): 24m26s
    * grsecurity
      \ TODO: use grsecurity to also prevent apps from going out on the internet!
      \ https://superuser.com/questions/179994/is-there-an-interactive-firewall-for-outbound-traffic-on-ubuntu
      * make sure all stuff is up to date
        * time emerge-webrsync -v -k
        * time FEATURES="-stricter" emerge --verbose --tree --update --deep --with-bdeps=y --changed-use --ask @world
      * open/mount boot device
        * cryptsetup --verbose --allow-discards luksOpen /dev/sda2 luks_on_sda2_boot
        * mount /bewt
      * get latest kernel
        * time emerge -nav --update sys-kernel/hardened-sources
          \ or remove the --update if you never had a hardened kernel already (unlikely!)
      * select latest hardened kernel
        * eselect kernel list
          \ see all kernels
        * copy old .config file from current kernel into the new one:
          * cp /usr/src/linux/.config /usr/src/linux-4.0.6-hardened-r2/
        * eselect kernel set 2
          \ [2]   linux-4.0.6-hardened-r2
        * eselect kernel list
          \ see it worked:
          \ [2]   linux-4.0.6-hardened-r2 *
      * pax utils
        * time emerge -nav sys-apps/paxctl sys-apps/gradm app-misc/pax-utils app-admin/paxtest
          \ should be already installed (in which case nothing happens)
          \  paxtest should not be run now, but only after reboot when pax is enabled and stuff
          \ time paxtest blackhat
          \ 5m16s (without grsecurity enabled)
      * cd /usr/src/linux
        \ VERY IMPORTANT - to be done after the 'eselect kernel set' or else you find yourself in the old dir editing the old(previous) kernel's .config
      * configure kernel for grsecurity
        \ details of each option: http://resources.infosecinstitute.com/gentoo-hardening-part-2-introduction-pax-grsecurity/
        * make nconfig
        * find grsecurity kernel config options as menu entries:
          \ search for the config option from here: https://wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart  eg. CONFIG_PAX_XATTR_PAX_FLAGS aka PAX_XATTR_PAX_FLAGS (because you drop the CONFIG_ part)
          \ search that into this page: https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options  and you see right above it something like this "Use filesystem extended attributes marking"
          \ well since we're using make nconfig, we can use F8 SymSearch to find the symbols!
        * enable config options:
          * CONFIG_GRKERNSEC
            \ -> Security options -> Grsecurity -> Grsecurity
          * CONFIG_GRKERNSEC_CONFIG_CUSTOM
            \ -> Security options -> Grsecurity -> Grsecurity (GRKERNSEC [=y]) -> Configuration Method (<choice> [=y]) -> Custom [=y]
          * PaX  ---> 
            * CONFIG_PAX - [*] Enable various PaX features
              \ -> Security options -> Grsecurity -> Grsecurity (GRKERNSEC [=y]) -> Customize Configuration -> PaX -> Enable various PaX features [=y]
            * PaX Control  --->
              * [ ] Support soft mode (NEW)
                \ CONFIG_PAX_SOFTMODE
              * [*] Use ELF program header marking (NEW)
                \ CONFIG_PAX_PT_PAX_FLAGS
                \ select this or polkitd will fail to start! because it has in-header embedded paxctl(-ng) settings(PT_PAX, not XATTR_PAX flags) which allows it to run normally instead of being killed by grsec.
              * CONFIG_PAX_XATTR_PAX_FLAGS
                \ -> Security options -> Grsecurity -> Grsecurity (GRKERNSEC [=y]) -> Customize Configuration -> PaX -> Enable various PaX features (PAX [=y]) -> PaX Control -> Use filesystem extended attributes marking [=y]
                \ TODO: see if this is actually needed at all
              * PAX_HAVE_ACL_FLAGS  (default)
                \ ... -> PaX Control -> MAC system integration (<choice> [=y]) -> direct
            * Non-executable pages  --->
              * CONFIG_PAX_NOEXEC - Enforce non-executable pages
              * CONFIG_PAX_PAGEEXEC - Paging based non-executable pages
                * CONFIG_PAX_EMUTRAMP - Emulate trampolines
                  \ XXX: need this enabled for python/portage on hardened kernel or else they won't work(says in the F2 help)
                  \ pax_kernel USE flag is already enabled automatically(so, not in make.conf); use 'emerge --info' to see
                  \ TODO: get rid of this option somehow because of the loophole it opens (see F2 help)
                * CONFIG_PAX_MPROTECT - Restrict mprotect()
                  \ don't set the 2 sub-options
                  * [ ]   Use legacy/compat protection demoting (read help) (NEW)
                    \ CONFIG_PAX_MPROTECT_COMPAT
                  * [ ]   Allow ELF text relocations (read help) (NEW)
                    \ CONFIG_PAX_ELFRELOCS
              * CONFIG_PAX_KERNEXEC - Enforce non-executable kernel pages
                * CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS (default) - Return Address Instrumentation Method - bts
            * Address Space Layout Randomization  --->
              * CONFIG_PAX_ASLR - Address Space Layout Randomization
              * CONFIG_PAX_RANDKSTACK - Randomize kernel stack base
              * CONFIG_PAX_RANDMMAP - Randomize user stack and mmap() bases
            * Miscellaneous hardening features  --->
              \ select all except this due to slowdown and gcc plugin requirement(untested) [ ] Generate some entropy during boot and runtime  TODO: select this and see how it works!
              * [*] Sanitize all freed memory
                \ CONFIG_PAX_MEMORY_SANITIZE
                \ added this to kernel cmdline: pax_sanitize_slab=full
                \ to kinda disable it: pax_sanitize_slab=off
              * [*] Sanitize kernel stack
                \ CONFIG_PAX_MEMORY_STACKLEAK
              * [*] Forcibly initialize local variables copied to userland
                \ CONFIG_PAX_MEMORY_STRUCTLEAK
              * [ ] Prevent invalid userland pointer dereference
                \ CONFIG_PAX_MEMORY_UDEREF
                \ has kernel cmdline: pax_weakuderef  for better performance impact (if I read that correctly!)
                \ TODO: try with this on, on bare metal; but not on virtualbox! because it should slow it down a lot!(they say)
              * [*] Prevent various kernel object reference counter overflows
                \ CONFIG_PAX_REFCOUNT
              * [*] Automatically constify eligible structures (NEW)
                \ CONFIG_PAX_CONSTIFY_PLUGIN
                \ already enabled by default
              * [*] Harden heap object copies between kernel and userland
                \ CONFIG_PAX_USERCOPY
              * [*] Prevent various integer overflows in function size parameters
                \ CONFIG_PAX_SIZE_OVERFLOW
              * [ ] Generate some entropy during boot and runtime (NEW)
                \ CONFIG_PAX_LATENT_ENTROPY
                \ don't select this!
          * Memory Protections  --->
            * [*] Deny reading/writing to /dev/kmem, /dev/mem, and /dev/port (NEW)
              \ CONFIG_GRKERNSEC_KMEM
              \ should not select this due to cannot write to msr, needed for undervolting
              \ also kexec support is removed - just a note.
              \ TODO: find a way to undervolt without needing to write to /dev/cpu/*/msr (see: amdmsrtweaker-lnx)
              \ enable this inside virtualbox! (but not on bare metal, yet)
            * [ ] Disable privileged I/O
              \ don't select this CONFIG_GRKERNSEC_IO: Disable privileged I/O
              \ because X won't start in vboxvideo.c when trying an inl instruction that gets RAM size.
              \ //(already rsynced) use the patch from here: http://resources.infosecinstitute.com/gentoo-hardening-part-4-pax-rbac-clamav/  or else X won't start (also needs recompile X I think)
              \ //patch is technically here: https://github.com/N8Fear/hvb-overlay/blob/master/x11-base/xorg-server/files/xorg-nohwaccess.patch
              \ //so to wget https://raw.github.com/N8Fear/hvb-overlay/master/x11-base/xorg-server/files/xorg-nohwaccess.patch
              \ //XXX: for now, fails to compile xorg-server-1.17.1-r1 due to:  "* !!! User patches were applied to this build!"  well no shiet! or maybe it's due to this: "/usr/lib/portage/python2.7/phase-helpers.sh: /var/tmp/portage/x11-base/xorg-server-1.17.1-r1/work/xorg-server-1.17.1/configure: /bin/sh: bad interpreter: Permission denied"  - that's what you get with grsecurity already enabled but not configured, i guess...
              \ //XXX: ^ yep, worked fine without grsecurity already compiled&enabled.
              \ //this should fix it: https://forums.gentoo.org/viewtopic-t-971312-start-0.html (tested) but it's unrelated to this configure option that I'm commenting on (it's about tpe below)
              \ recompiling x11-base/xorg-server took 8m29s (ccache)
            * [*] Harden BPF interpreter
              \ CONFIG_GRKERNSEC_BPF_HARDEN
            * [*] Disable unprivileged PERF_EVENTS usage by default
              \ CONFIG_GRKERNSEC_PERF_HARDEN
            * [*] Insert random gaps between thread stacks
              \ CONFIG_GRKERNSEC_RAND_THREADSTACK
            * [*] Prevent kernel stack overflows
              \ CONFIG_GRKERNSEC_KSTACKOVERFLOW
            * [*] Harden ASLR against information leaks and entropy reduction (NEW)
              \ CONFIG_GRKERNSEC_PROC_MEMMAP
              \ already selected (by default)
            * [*] Prevent kernel stack overflows
              \ CONFIG_GRKERNSEC_KSTACKOVERFLOW
            * [*] Deter exploit bruteforcing
              \ CONFIG_GRKERNSEC_BRUTE
              \ sysctl option: deter_bruteforce
            * [ ] Harden module auto-loading
              \ CONFIG_GRKERNSEC_MODHARDEN
              \ don't select this yet, because I don't have the will to check which modules I have to make root load (or to put in some list to be already loaded at boot) in order for things like startx to work.
            * [*] Hide kernel symbols
              \ CONFIG_GRKERNSEC_HIDESYM
              \ TODO: see what and how to get CAP_SYS_MODULE for root user. (apparently it's a process capability)
            * [*] Randomize layout of sensitive kernel structures
              \ CONFIG_GRKERNSEC_RANDSTRUCT
              * [ ]   Use cacheline-aware structure randomization 
                \ CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE
                \ don't select this
            * [ ] Active kernel exploit response
              \ CONFIG_GRKERNSEC_KERN_LOCKOUT
              \ TODO: see what happens when this is selected!
          * Role Based Access Control Options  --->
            \ leave all these as defaults (eg. unset, 3,30)
            * unset [ ] Disable RBAC system (NEW)  (default)
            * [ ] Hide kernel processes
              \ CONFIG_GRKERNSEC_ACL_HIDEKERN
              \ TODO: maybe enable/test this one?
          * Filesystem Protections  --->
            * [*] Proc restrictions
              \ CONFIG_GRKERNSEC_PROC
              * [*]   Restrict /proc to user only
                \ CONFIG_GRKERNSEC_PROC_USER
              * [ ]     Allow special group
                \ CONFIG_GRKERNSEC_PROC_USERGROUP
                \ has kernel cmdline: grsec_proc_gid=
                \ TODO: eventually select this and make a group, or something...
                * GRKERNSEC_PROC_GID [=1001]
                  \ FIXME: select the right gid here and TODO: create it on cmdline!
            * [*] Additional restrictions
              \ CONFIG_GRKERNSEC_PROC_ADD
            * [*] Linking restrictions
              \ CONFIG_GRKERNSEC_LINK
              \ sysctl option: linking_restrictions
            * [*] Kernel-enforced SymlinksIfOwnerMatch
              \ CONFIG_GRKERNSEC_SYMLINKOWN
              \ sysctl option: enforce_symlinksifowner
              * (1006) GID for users with kernel-enforced SymlinksIfOwnerMatch
                \ GRKERNSEC_SYMLINKOWN_GID [=1006]
                \ sysctl option: symlinkown_gid
                \ TODO: get the right gid here after you create that group on cmdline!
            * [*] FIFO restrictions
              \ CONFIG_GRKERNSEC_FIFO
              \ sysctl: fifo_restrictions
            * [ ] Sysfs/debugfs restriction
              \ CONFIG_GRKERNSEC_SYSFS_RESTRICT
              \ fixedme: "This option also breaks pulseaudio and battery widgets, which won't be able to get access to the /sys filesystem, which is why the pulseaudio on a hardened system might not work. Don't enable this option if you're on a desktop system." src: http://resources.infosecinstitute.com/gentoo-hardening-part-2-introduction-pax-grsecurity/
              \ disabled this to see if pulseaudio will detect soundcard(inside virtualbox) - yep, confirmed to work but no sound is heard hmm...  I mean, the soundcard is detected this time, seems to work, but there's no sound heard on host, I think because of virtualbox, changing soundcard type in virtualbox config I think fixed it last time, yep remove codec="AD1980" from *.vbox file!
            * [*] Runtime read-only mount protection
              \ CONFIG_GRKERNSEC_ROFS
              \ sysctl: romount_protect
              \ "By setting this option to 1 at runtime, filesystems will be protected in the following ways:
              \ * No new writable mounts will be allowed
              \ * Existing read-only mounts won't be able to be remounted read/write
              \ * Write operations will be denied on all block devices"
            * [*] Eliminate stat/notify-based device sidechannels
              \ CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL
              \ CAP_MKNOD (process capability)
            * [*] Chroot jail restrictions
              \ CONFIG_GRKERNSEC_CHROOT
              * select all suboptions here, EXCEPT this one:
                \ [ ]   Exempt initrd tasks from restrictions - CONFIG_GRKERNSEC_CHROOT_INITRD
          * Kernel Auditing  --->
            \ enable all EXCEPT this one:
            \ [ ] Single group for auditing (NEW) CONFIG_GRKERNSEC_AUDIT_GROUP
          * Executable Protections  --->
            \ set all options and set the GID to 0 (aka root group, instead of 10 wheel group)
            * [*] Dmesg(8) restriction
              \ CONFIG_GRKERNSEC_DMESG
            * [*] Deter ptrace-based process snooping
              \ CONFIG_GRKERNSEC_HARDEN_PTRACE
            * [*] Require read access to ptrace sensitive binaries
              \ CONFIG_GRKERNSEC_PTRACE_READEXEC
            * [*] Enforce consistent multithreaded privileges
              \ CONFIG_GRKERNSEC_SETXID
            * [*] Disallow access to overly-permissive IPC objects
              \ CONFIG_GRKERNSEC_HARDEN_IPC
            * [*] Trusted Path Execution (TPE)
              \ CONFIG_GRKERNSEC_TPE
              * [*]   Partially restrict all non-root users
                \ CONFIG_GRKERNSEC_TPE_ALL
              * [*]   Invert GID option
                \ CONFIG_GRKERNSEC_TPE_INVERT
            * (120) GID for TPE-trusted users - CONFIG_GRKERNSEC_TPE_TRUSTED_GID
              * groupadd --system tpe_group
              * getent group tpe_group|cut -d: -f3
                \ the id of the newly created group
              * set that id number (eg. 120) as the GID number here on this option CONFIG_GRKERNSEC_TPE_TRUSTED_GID
              * gpasswd -a portage tpe_group
                \ Adding user portage to group tpe_group
                * TODO: also add zazdxscf user to tpe_group
                  \ or else it cannot execute anything what it owns. eg. ./go
                  * gpasswd -a zazdxscf tpe_group
              * note: now it looks like this (AFTER reboot!)
                \ # sysctl -a|grep -i tpe
                \ kernel.grsecurity.tpe = 1
                \ kernel.grsecurity.tpe_gid = 120
                \ kernel.grsecurity.tpe_invert = 1
                \ kernel.grsecurity.tpe_restrict_all = 1
                \ sysctl: tpe_invert (default on)
                \ XXX: if you later get "/bin/sh: bad interpreter: Permission denied" during an emerge (virtualbox-guest-additions for example, at extracting the second archive) then it's this TPE thing's fault! tested to be so just by disabling tpe via sysctl! aka kernel.grsecurity.tpe=0 ;
                \ also doesn't work with:
                \ kernel.grsecurity.tpe = 1
                \ kernel.grsecurity.tpe_gid = 250  (that's 'portage' group)
                \ kernel.grsecurity.tpe_invert = 0
                \ kernel.grsecurity.tpe_restrict_all = 1
                \ and with:
                \ kernel.grsecurity.tpe = 1
                \ kernel.grsecurity.tpe_gid = 0
                \ kernel.grsecurity.tpe_invert = 1
                \ kernel.grsecurity.tpe_restrict_all = 1
                \ but works with this(because portage group is allowed now):
                \ kernel.grsecurity.tpe = 1
                \ kernel.grsecurity.tpe_gid = 250
                \ kernel.grsecurity.tpe_invert = 1
                \ kernel.grsecurity.tpe_restrict_all = 1
                \ )
                \ + /var/tmp/portage/app-emulation/virtualbox-guest-additions-5.0.2/work/VirtualBox-5.0.2/src/VBox/Additions/linux/export_modules /var/tmp/portage/app-emulation/virtualbox-guest-additions-5.0.2/work/vbox-kmod.tar.gz
                \ /var/tmp/portage/app-emulation/virtualbox-guest-additions-5.0.2/temp/environment: /var/tmp/portage/app-emulation/virtualbox-guest-additions-5.0.2/work/VirtualBox-5.0.2/src/VBox/Additions/linux/export_modules: /bin/sh: bad interpreter: Permission denied
          * Network Protections  --->
            * [*] TCP/UDP blackhole and LAST_ACK DoS prevention
              \ CONFIG_GRKERNSEC_BLACKHOLE
            * [*] Disable TCP Simultaneous Connect
              \ CONFIG_GRKERNSEC_NO_SIMULT_CONNECT
            * [*] Socket restrictions
              \ CONFIG_GRKERNSEC_SOCKET
            * [*]   Deny any sockets to group
              \ CONFIG_GRKERNSEC_SOCKET_ALL
              \ sysctl: socket_all
              * (65534) GID to deny all sockets for (NEW)
                \ CONFIG_GRKERNSEC_SOCKET_ALL_GID
                \ sysctl: socket_all_gid
                \ TODO: get a gid here, or create the group with this gid!
            * [ ]   Deny client sockets to group
              \ CONFIG_GRKERNSEC_SOCKET_CLIENT
              \ sysctl: socket_client
            * [ ]   Deny server sockets to group
              \ CONFIG_GRKERNSEC_SOCKET_SERVER
              \ sysctl: socket_server
          * Physical Protections  --->
            * [*] Deny new USB connections after toggle
              \ CONFIG_GRKERNSEC_DENYUSB
              \ sysctl: deny_new_usb
              *  [ ]   Reject all USB devices not connected at boot
                \ CONFIG_GRKERNSEC_DENYUSB_FORCE
          * Sysctl Support  --->
            * [*] Sysctl support - CONFIG_GRKERNSEC_SYSCTL
              \ temporarily set this up, for now; FIXME:/TODO: unset this after I know how to use grsec correctly!
              \ can echo values to /proc/sys/kernel/grsecurity  (1 enable, 0 disable)
              \ all sysctl entries are mutable until grsec_lock it set to non-zero.
              * [ ]   Extra sysctl support for distro makers (READ HELP)
                \ CONFIG_GRKERNSEC_SYSCTL_DISTRO
              * [*]   Turn on features by default
                \ CONFIG_GRKERNSEC_SYSCTL_ON
          * Logging Options  --->
            * (3) Seconds in between log messages (minimum)
              \ default is 10
            * (6) Number of messages in a burst (maximum)
              \ default is (still) 6
      * (re)build kernel
        * . /etc/profile
          \ to clear PATH which includes ccache's gcc
        - time FEATURES="-ccache" genkernel all --bootdir="/bewt" --install --symlink --no-splash --no-mountboot --makeopts="-j4 V=0" --no-keymap --lvm  --no-mdadm --no-dmraid --no-zfs --no-multipath --no-iscsi --disklabel --luks --no-gpg --no-netboot --no-unionfs  --no-firmware --no-integrated-initramfs --compress-initramfs --compress-initrd --compress-initramfs-type=best --loglevel=5 --color --no-clean --oldconfig --no-mountboot --no-postclear
          \ FIXME: ^ this is likely outdated
        * time CCACHE_DISABLE=1 genkernel all --bootdir="/bewt" --install --symlink --no-splash --no-mountboot --makeopts="-j4 V=0" --no-keymap --lvm  --no-mdadm --no-dmraid --no-zfs --no-multipath --no-iscsi --disklabel --luks --no-gpg --no-netboot --no-unionfs  --no-firmware --no-integrated-initramfs --compress-initramfs --compress-initrd --compress-initramfs-type=best --loglevel=5 --color --no-mrproper --no-clean --no-postclear --oldconfig
          \ 40m7s
        * grub2-mkconfig -o /bewt/grub/grub.cfg 2>&1
        * umount /bewt
        * cryptsetup --verbose luksClose /dev/mapper/luks_on_sda2_boot
        * sync
      * update modules due to kernel update:
        \ there are only 2 modules which are found by: emerge -avt1 @module-rebuild
        * vboxsf and co.
          * . /etc/profile
          * time emerge -av '>=app-emulation/virtualbox-guest-additions-5.0.2'
            \ //this doesn't currently compile with virtualbox 5.0.0 due to some missing thing in makefile - fixed in 5.0.2 ! bug number 554952 on bugs.gentoo.org
            \ compilation works with hardened gcc, but must not use ccache (rscyned)
        * search above for xf86-video-virtualbox to compile this too! (vboxvideo)
          \ this is done by: emerge -avt1 @module-rebuild
          \ need to be compiled with vanilla gcc, but ccache must be off (this latter part is rscyned)
      * reboot & exit
      * after reboot
        * gradm -P
          \ only works when kernel has grsec enabled(selected in kernel, that is)!
        * gradm -F -L /etc/grsec/learning.log
          \ works without needing to switch to admin role via  gradm -a admin  (to leave admin role: gradm -u admin )
        * TODO: need more here, eg. enable RBAC system, remove sysctl access from kernel...
      - pax_kernel need? don't need(because emerge --info shows pax_kernel is already set): see if we need to add USE=pax_kernel
        \ By default, python has CONFIG_PAX_EMUTRAMP enabled by
        \ │ the ebuild when USE=pax_kernel is set, otherise CONFIG_PAX_PAGEEXEC
        \  │ is enabled as a fallback.
        \ from: F2 help of CONFIG_PAX_EMUTRAMP
    * (already have them because of rsynced world did recompile 370 packages) recompile glibc
      \ so that we get symbols and source code installed!
      * time emerge -av glibc
        \ 61m13s (94m user, 93m sys)
    * still need a filemanager
      * time emerge -nav pcmanfm
        \ 5 packages, duration: 10m33s
      * time emerge -nav lxde-base/lxmenu-data
        \ support the menu://applications/ location
        \ wtw that is.
        \ //1m25s
    * hexchat
      * time emerge -av hexchat
        \ //2 packages (due to USE=spell)
        \ //duration (with chromium compilation in the background): 15m52s
      - time emerge -av x11-themes/sound-theme-freedesktop
        \ this for default BEEP sound (already having USE=libcanberra)
        \ duration:
        \ ok this isn't necessary (pulse audio System Sounds being at 100%, the soundcard sound is heard fine, it's not like a speaker BEEP though)
    * time emerge -nav x11-apps/radeontop
      \ to see how much GPU % is used during vlc and see if vsync is really on.
      \ 30s
    * time emerge -nav dev-python/lxml
      \ required for making .xpi of https-everywhere
      \ duration: 4m48.591s, user 4m14.627s, sys  0m24.323s


* config
  * fontconfig (how to configure system fonts)
    \ less /usr/share/doc/fontconfig-2.11.1-r2/README.gentoo*
    \ eselect fontconfig ...
    \ ^ will overwrite /etc/fonts/fonts.conf

* howtos
  * check all installed packages for modifications of their installed files
    * q qcheck --all -v -B
      \ will show packages that have at least 1 bad checksum, but not the file(s) which do.
      * q qcheck -v packagename
        \ will show which files of that packagename have the bad checksum
  - (rsynced) scanelf: seccomp_load failed: Invalid argument
    \ don't install pax-utils-1.1 or you get those errors during any emerges
    \ pax-utils-1.0.5 tested to work ok
  * what else needs to be done after a kernel upgrade
    * do whatever was needed to compile kernel and eselect kernel
    * time emerge -avt1 @module-rebuild
      * note that for virtualbox modules (vboxsf, vboxguest) ccache must be disabled (so the @module-rebuild won't work) - this applies for hardened gentoo/kernel only!
        \ that is: app-emulation/virtualbox-guest-additions-4.3.26
        * time CCACHE_DISABLE=1 emerge -av virtualbox-guest-additions
          \ for guest OS integration (copy/paste for example)
      * the xf86-video-virtualbox will need to be compiled with vanilla gcc ! so @module-rebuild won't work for this!
        \ takes 10m23s or less (ccache disabled, required)
  * in order for ~/bin/ executing scripts to work for zazdxscf with pax/grsec enabled
    * gpasswd -a zazdxscf tpe_group
    * TODO: find another way? maybe make the bin folder root owned and writable, but group+other not writable! (this means that everytime I've to edit something in there, I've to fuck with the permissions on the dir)
    
  * (rsynced but monitor name may vary)set display resolution on startup (startx)
    \ https://wiki.gentoo.org/wiki/Xorg/Guide#Setting_the_screen_resolution
  * build your own admincd iso
    - get catalyst (for building stages and .iso)
      * time emerge -nav dev-util/catalyst
        \ 16 packages, 22m43s; 47m10s on hardened (with youtube playing on background)
      * vim /etc/catalyst/catalyst.conf
        \ options="autoresume bindist kerncache pkgcache seedcache snapcache ccache"
      * cd /root
      * catalyst -s latest
      * git clone https://anongit.gentoo.org/git/proj/releng.git
      * get a stage3 and unpack in current dir (see #stage3)
        * download
          * wget http://mirrors.xservers.ro/gentoo/releases/amd64/autobuilds/current-stage3-amd64-hardened+nomultilib/stage3-amd64-hardened+nomultilib-20150813.tar.bz2.DIGESTS.asc
          * wget http://mirrors.xservers.ro/gentoo/releases/amd64/autobuilds/current-stage3-amd64-hardened+nomultilib/stage3-amd64-hardened+nomultilib-20150813.tar.bz2
        * verify integrity
          * get key
            * gpg --recv-keys 0xBB572E0E2D182910
              \ that created /root/.gnupg/gpg.conf  which is required for the following* to work(or you'll have to specify --keyserver keys.gnupg.net or subkeys.pgp.net  as the first option to gpg, before --recv-keys):
            * gpg --recv-keys 0xBB572E0E2D182910
              \ seems like a good idea to NOT put this in /etc/portage/gpg/ just in case this key gets compromised and used to sign, let's say. On the other hand the keys are probably signed by each other which would ensure higher trust.
          * check key fingerprint
            * gpg --fingerprint
              \ should match with the one here:
              \ https://www.gentoo.org/proj/en/releng/#doc_chap5
              \ 13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E 2D18 2910
          * check key sigs
            * gpg --check-sigs
              \ should be 1 bad signature the 2009-08-25 one at the end (sig-3)
              \ sig!3  and sig-3 (the latter is the bad one)
              \ "The exclamation mark is only produced on --check-sigs, it's absent on 
              \ --list-sigs so it's an indication that the signature is good. All signatures 
              \ with --check-sigs should have the ! because signatures made by keys not in 
              \ your key ring are excluded.
              \ The digit is the indication of how much verification took place before signing 
              \ - when you sign a key, GnuPG asks you how carefully you verified the key, 3 
              \ is the highest level - very careful checking."
              \ from: http://lists.gnupg.org/pipermail/gnupg-users/2004-July/022910.html
          * check .asc sig
            * gpg --verify *.asc
              \ gpg: Good signature from "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" [unknown]
              \ ...
              \ same key fingerprint from above
          * check sha512sum of the tar
            * sha512sum -c *.asc
            \ first should be OK, second FAILED (because it's whirlpool not sha512)
            \ stage3-amd64-nomultilib-20141204.tar.bz2: OK
            \ stage3-amd64-nomultilib-20141204.tar.bz2: FAILED
      * mkdir -p /var/tmp/catalyst/builds/default
      * move stage3 to specific dir
        * mv stage3* /var/tmp/catalyst/builds/default
      * catalyst -v -f releng/releases/weekly/specs/amd64/hardened/admincd-stage1.spec 
      * ...
    * http://gentoo-en.vfose.ru/wiki/Build_Your_Own_LiveCD_or_LiveDVD#Introduction
      \ that article was last updated 3 years ago +-3 months
      * time emerge -nav app-cdr/cdrtools sys-fs/squashfs-tools
        \ hmm, already have them apparently (maybe they got installed with catalyst package?) - yes
        \ this adds them to favs
      * time emerge -nav dev-util/catalyst
        \ 16 packages, 22m43s; 47m10s on hardened (with youtube playing on background)
      * vim /etc/catalyst/catalyst.conf
        \ options="autoresume bindist kerncache pkgcache seedcache snapcache ccache"
      * cd /root
      * catalyst -s latest
        \ creating a snapshot from current /usr/portage/
        \ puts it in: /var/tmp/catalyst/snapshots/portage-latest.tar.bz2*
        \ (depends on a /etc/catalyst/catalyst.conf setting for the location!)
        \ space taken: 866M
        \ the *.bz2* files take only 85M
      * export LIVECD="$HOME/admincd"
        \ #NEXTTIME
      * mkdir -p "$LIVECD/source"
        \ this will use at least 9.2G(du) of space
      * cd "$LIVECD/source"
        \ #NEXTTIME
      * get a stage3 and unpack in current dir (see #stage3)
        * download
          * links http://mirrors.xservers.ro/gentoo/releases/amd64/autobuilds/current-stage3-amd64-hardened+nomultilib/
            \ to find latest stage3 to download
          * wget http://mirrors.xservers.ro/gentoo/releases/amd64/autobuilds/current-stage3-amd64-hardened+nomultilib/stage3-amd64-hardened+nomultilib-20150813.tar.bz2.DIGESTS.asc
          * wget http://mirrors.xservers.ro/gentoo/releases/amd64/autobuilds/current-stage3-amd64-hardened+nomultilib/stage3-amd64-hardened+nomultilib-20150813.tar.bz2
        * verify integrity
          * get key
            * gpg --recv-keys 0xBB572E0E2D182910
              \ that created /root/.gnupg/gpg.conf  which is required for the following* to work(or you'll have to specify --keyserver keys.gnupg.net or subkeys.pgp.net  as the first option to gpg, before --recv-keys):
            * gpg --recv-keys 0xBB572E0E2D182910
              \ seems like a good idea to NOT put this in /etc/portage/gpg/ just in case this key gets compromised and used to sign, let's say. On the other hand the keys are probably signed by each other which would ensure higher trust.
          * check key fingerprint
            * gpg --fingerprint
              \ should match with the one here:
              \ https://www.gentoo.org/proj/en/releng/#doc_chap5
              \ 13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E 2D18 2910
          * check key sigs
            * gpg --check-sigs
              \ should be 1 bad signature the 2009-08-25 one at the end (sig-3)
              \ sig!3  and sig-3 (the latter is the bad one)
              \ "The exclamation mark is only produced on --check-sigs, it's absent on 
              \ --list-sigs so it's an indication that the signature is good. All signatures 
              \ with --check-sigs should have the ! because signatures made by keys not in 
              \ your key ring are excluded.
              \ The digit is the indication of how much verification took place before signing 
              \ - when you sign a key, GnuPG asks you how carefully you verified the key, 3 
              \ is the highest level - very careful checking."
              \ from: http://lists.gnupg.org/pipermail/gnupg-users/2004-July/022910.html
          * check .asc sig
            * gpg --verify *.asc
              \ gpg: Good signature from "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" [unknown]
              \ ...
              \ same key fingerprint from above
          * check sha512sum of the tar
            * sha512sum -c *.asc
            \ first should be OK, second FAILED (because it's whirlpool not sha512)
            \ stage3-amd64-nomultilib-20141204.tar.bz2: OK
            \ stage3-amd64-nomultilib-20141204.tar.bz2: FAILED
        * unpack
          * tar xvjpf stage3-*.tar.bz2
      * extract the portage stuff
        * tar -xvjpf /var/tmp/catalyst/snapshots/portage-latest.tar.bz2 -C usr
          \ ./usr already exists due to prev. extraction!
      - (nvm we need it on --update after webrsync) do not set up /etc/resolv.conf because we don't need internet(portage) to download packages!
        \ so yeah, don't!
      * mkdir proc dev sys run
        \ all already exist!
      * mount points
        * mount -t tmpfs -o rw,nosuid,relatime,nodev,size=90%,mode=1777 tmpfs ./tmp && mount --rbind ./tmp/ ./var/tmp/ && mount -t tmpfs -o rw,nosuid,relatime,nodev,size=90%,mode=775,uid=portage,gid=portage,x-mount.mkdir=775 tmpfs ./var/tmp/portage/ && mount -t proc proc ./proc ; mount --rbind /sys ./sys ; mount --rbind /dev ./dev ; mount --rbind /run ./run && echo done.
          \ #NEXTTIME
        - mount --rbind ./tmp/ ./var/tmp/
        - mount -t tmpfs -o rw,nosuid,relatime,nodev,size=90%,mode=775,uid=portage,gid=portage,x-mount.mkdir=775 tmpfs ./var/tmp/portage/
        - mount -t proc proc ./proc ; mount --rbind /sys ./sys ; mount --rbind /dev ./dev ; mount --rbind /run ./run
        * avoid redownload...
          * mkdir -p ./usr/portage/distfiles
          * mount --rbind /usr/portage/distfiles ./usr/portage/distfiles
            \ #NEXTTIME
        * use that ccache goodness
          * mkdir -p ./ccache
          * mount --rbind /ccache ./ccache
            \ #NEXTTIME
        * portage patches
          * mkdir -p ./patches
          * mount --rbind /patches ./patches
            \ #NEXTTIME
          - cp --archive -- /patches ./patches/
          * cp --archive -- /etc/portage/bashrc ./etc/portage/
          * cp --archive -- /etc/portage/patches ./etc/portage/
            \ it's a symlink, remember?
          * cp --archive -- /etc/portage/postsync.d ./etc/portage/
            \ needed when you do emerge-webrsync -v -k  inside chroot!
      * set up make.conf
        * cp --archive -- /etc/portage/make.conf ./etc/portage/
          \ overwrite
        * vim ./etc/portage/make.conf
          * remove USE flags: X qt4
          * TODO: maybe remove USE flags: dbus consolekit
            \ maybe also remove: -nls
            \ but note that it will miss ccache this way! (currently still misses it because old items got expunged due to many recent chromium compilations)
          * add USE flags: livecd -X userlocales -qt4
          * TODO: add USE flags: -dbus -consolekit
            \ maybe also add: nls
            \ so to avoid recompiling packages just because of this single flag change!
      - cp --archive -- /etc/default/grub ./etc/default/
        * vim ./etc/default/grub
          * prepend to kernel cmdline: cdroot
          * remove: crypt_root rd.luks.uuid
      * cp --archive -- /etc/locale.gen ./etc/
        \ overwrite!
      * cp --archive -- /etc/inittab ./etc/
        \ so it doesn't autoclear after boot! it has that --noclear arg already!
      * cp --archive -- /etc/resolv.conf ./etc/
        \ to can download new packages during a later emerge below
      - cp --archive -- /etc/localtime ./etc/
        \ this is regenerated by an emerge
      * cp --archive -- /etc/timezone ./etc/
      * cp --archive -- /etc/rc.conf ./etc/
      - all these are done later, manually:
        * cp --archive -- /etc/conf.d/net ./etc/conf.d/
        * cp --archive -- /etc/init.d/net.lo ./etc/init.d/
        * cp --archive -- /etc/init.d/net.enp0s3 ./etc/init.d/
          \ it's a symlink to net.lo
        * cp --archive -- /etc/runlevels/default/net.enp0s3 ./etc/runlevels/default/
          \ this is the equivalent of running the following inside chroot:
          \ rc-update add net.enp0s3 default
      * rm ./etc/runlevels/default/netmount
        \ this is the equivalent of running the following inside chroot:
        \ rc-update del netmount default
      * cp --archive -- /usr/src/linux ./usr/src/
      * cp --archive --reflink=always -- /usr/src/linux-4.1.7-hardened ./usr/src/
        \ XXX: make sure this is the folder that /usr/src/linux points to, before copying!
        \ It doesn't matter that the hardened-sources are not installed! 'eselect kernel list' will work properly!
      * ln -sf /proc/self/mounts ./etc/mtab
      * fix /bin/sh: bad interpreter: Permission denied
        \ on future emerges from within chroot! this is needed because host is using grsec enabled kernel!
        * getent group tpe_group|cut -d: -f3
          \ the id of the existing group on host(outside chroot)
        * set that id number (eg. 120) as the GID number here:
          * chroot "${LIVECD}/source/" groupadd --system tpe_group --gid 120
        * chroot "${LIVECD}/source/" gpasswd -a portage tpe_group
          \ Adding user portage to group tpe_group
      * fix fstab
        * vim ./etc/fstab
          \ XXX: ensure there's a space(newline) at the beginning and end of file!
          \ contents:
          \
          \ /dev/loop0              /               squashfs        defaults             0 0
          \ none                    /proc           proc            defaults             0 0
          \ none                    /dev/shm        tmpfs           defaults             0 0
          \
      * grsec settings to relax chroot for emerge not to fail on some packages!
        * sysctl -w kernel.grsecurity.chroot_deny_mount=0 ; sysctl -w kernel.grsecurity.chroot_deny_chmod=0 ; sysctl -w kernel.grsecurity.chroot_deny_chroot=0
          \ #NEXTTIME also see #RESTORE below
        - sysctl -w kernel.grsecurity.chroot_deny_chmod=0
        - sysctl -w kernel.grsecurity.chroot_deny_chroot=0
        - sysctl -w kernel.grsecurity.chroot_caps=0
          \ this fixes the frequent : Unable to unshare: EPERM
          \ in dmesg is probably this: [75212.656718] grsec: From 10.0.2.2: use of CAP_SYS_ADMIN in chroot denied for /root/admincd/source/usr/lib64/python-exec/python3.4/emerge[emerge:24096] uid/euid:0/0 gid/egid:0/0, parent /root/admincd/source/usr/lib64/python-exec/python3.4/emerge[emerge:4652] uid/euid:0/0 gid/egid:0/0
          \ kernel.grsecurity.chroot_caps is kernel config option CONFIG_GRKERNSEC_CHROOT_CAPS:
          \ "If you say Y here, the capabilities on all processes within a
          \ chroot jail will be lowered to stop module insertion, raw i/o
          \ system and net admin tasks, rebooting the system, modifying immutable
          \ files, modifying IPC owned by another, and changing the system time.
          \ This is left an option because it can break some apps.  Disable this
          \ if your chrooted apps are having problems performing those kinds of
          \ tasks.  If the sysctl option is enabled, a sysctl option with
          \ name "chroot_caps" is created."
          \.....
          \ New: now looks like I'm getting "mount: permission denied" because of this CAP_SYS_ADMIN; I didn't use to get this before! must be the new portage 2.2.22 ?
          \ [  700.484975] grsec: From 10.0.2.2: exec of /root/admincd/source/bin/mount (mount -t cgroup -o rw,nosuid,nodev,noexec,none,name=portage tmpfs /sys/fs/cgroup/portage ) by /root/admincd/source/bin/mount[emerge:12460] uid/euid:0/0 gid/egid:0/0, parent /root/admincd/source/usr/lib64/python-exec/python3.4/emerge[emerge:9821] uid/euid:0/0 gid/egid:0/0
          \ [  700.503469] grsec: From 10.0.2.2: use of CAP_SYS_ADMIN in chroot denied for /root/admincd/source/bin/mount[mount:12460] uid/euid:0/0 gid/egid:0/0, parent /root/admincd/source/usr/lib64/python-exec/python3.4/emerge[emerge:9821] uid/euid:0/0 gid/egid:0/0
      * get the pub key so that webrsync doesn't fail
        * cp --archive -- /etc/portage/gpg ./etc/portage/
      * get .bashrc in there because it sets some CCACHE vars without which apparently cache miss happens all the time!
        * cp --archive -L -- /root/.bashrc ./root
        * cp --archive -L -- /root/.bash_profile ./root
      * other stuff
        * cp --archive -L -- /root/.vimrc ./root
      * CHROOT
        * chroot "${LIVECD}/source/" /bin/bash --login
          \ #NEXTTIME
        * env-update && source /etc/profile && source ~/.bash_profile
      * passwd
        \ set root password
      * eselect profile list
        \ see if it's right
        \   [16]  hardened/linux/amd64/no-multilib *
      - Make sure you add livecd to your USE variables.
        \ nano -w /etc/portage/make.conf
      - make sure you add -X (minus X) as USE var!
        \ search with Ctrl+W  (in nano) Alt+W repeat last search
      - add USE flag: userlocales
      - nano /etc/locale.gen
        \ uncommed the first two
        \ en_US ISO-8859-1
        \ en_US.UTF-8 UTF-8
      * locale-gen
        * locale -a
          \ should be only 5 items listed!
      * set the system-wide locale settings
        * eselect locale list
        - Select the en_US.utf8 one:
          * eselect locale set 4
            \ XXX: lsblk is ugly in virtual consoles (TERM=linux) unless this is set to C (aka set 1); also mc is ugly too!
            \ changing from the C to utf8 one requires restarting X, or just relogging (not enough to just source /etc/profile again) - tested to see the change in vim: it showed up as two rhomboid '?', but after exiting X and logging out, then logging in, startx, vim, the 'a' with accent char  showed okay. (also in git diff)
        * select the C one:
          * eselect locale set 1
            \ the downside of this is that you cannot paste or type chars like 'a' with accent inside vim for example, it shows up as '?'; although you can see it okay inside firefox. You can type it in mousepad though, but still can't see it in vim(shows up as a different char than '?' this way, and git diff reports it as <C3><A1> ).
            \ TODO: remember to switch to the utf8 one later on when you're using X !!
      * env-update && source /etc/profile && source ~/.bash_profile
        \ oh we don't have ~/.bash_profile yet; maybe I'll copy it before running this; who knows; otherwise ignore.
      * emerge --config sys-libs/timezone-data
        \  * Updating /etc/localtime with /usr/share/zoneinfo/Europe/Budapest
        \ getting these errors, unsure why:
        \ mount: permission denied
        \ Unable to unshare: EPERM
        \ maybe those grsec chroot permissions!!!
      * time emerge -nav \>=ccache-3.2.2
      * time emerge -n --ask --verbose sys-apps/fakeroot
      * time emerge -nav debugedit
      * re-emerge with debugedit on
        * time emerge -av sys-apps/fakeroot debugedit dev-libs/beecrypt dev-libs/icu
      * time emerge -nav \>=gcc-5.2.0
        \ because ~amd64 is at 4.9.3  (and there's 5.1.0 and 5.2.0 extra)
        \ u'll need to run dispatch-conf to apply the changes before rerunning emerge
        \ duration: 139m
        * gcc-config -l
          \ [1] x86_64-pc-linux-gnu-4.8.5 *
          \ [2] x86_64-pc-linux-gnu-4.8.5-hardenednopie
          \ [3] x86_64-pc-linux-gnu-4.8.5-hardenednopiessp
          \ [4] x86_64-pc-linux-gnu-4.8.5-hardenednossp
          \ [5] x86_64-pc-linux-gnu-4.8.5-vanilla
          \ [6] x86_64-pc-linux-gnu-5.2.0
          \ [7] x86_64-pc-linux-gnu-5.2.0-hardenednopie
          \ [8] x86_64-pc-linux-gnu-5.2.0-hardenednopiessp
          \ [9] x86_64-pc-linux-gnu-5.2.0-hardenednossp
          \ [10] x86_64-pc-linux-gnu-5.2.0-vanilla
        * gcc-config 6
          \ pick the newest one
        * hash -r && env-update && source /etc/profile ; source ~/.bash_profile
          \ looks like gcc-config already runs env-update!
        * time emerge --oneshot libtool
          \ duration: 3m16s
        * don't keep old gcc because it will be recompiled/updated on next --update !! so wastes time!
          * time emerge -av --depclean  (XXX: but I wanna keep the old gcc for now, so don't!)
            \ this will remove old gcc version (4.8.3 in this case)
        * time emerge @preserved-rebuild  (old version of this: revdep-rebuild)
          \ //revdep-rebuild command is part of gentoolkit package
          \ finds nothing to update, usually!
      * time emerge -av glibc
        \ gets updated to sys-libs/glibc-2.21-r1
        \ 39m46s
      - time emerge -av --emptytree world --exclude glibc --exclude gcc
        \ no idea why this is needed!
        \ 231 packages!! that's a bad idea!
      * update system
        * time emerge-webrsync -v -k
          \ #NEXTTIME
          \ 3m22s (with postsync.d)
          \ 3m18.092s and failed postsync.d remanifest due to newer portage version which I installed last time, that is: 2.2.22 vs 2.2.20.1
          \ 2m56s
          * time emerge -av =portage-2.2.20.1
            \ downgrading...
            \ duration: 3m20.990s
          * rm -v /usr/portage/metadata/timestamp.x
          * time emerge-webrsync -v -k
            \ something here broke vim wofl as I cannot za or zc properly here!
            \ dur: 1m41.957s
            \ and works of course!
            \ XXX; looks like it's because they fixed the -p aka pretend parameter! and so that's why it fails like so:
            \ # repoman -pv  --digest=y  --ask manifest
            \ [WARNING] No VCS type detected, unable to sign the commit
            \ [INFO] checking package sys-apps/debianutils
            \ 
            \ !!! Digest verification failed:
            \ !!! /usr/portage/sys-apps/debianutils/debianutils-4.4.ebuild
            \ !!! Reason: Filesize does not match recorded size
            \ !!! Got: 1039
            \ !!! Expected: 1026
            \  * Digest verification failed:
            \  * /usr/portage/sys-apps/debianutils/debianutils-4.4.ebuild
            \  * Reason: Filesize does not match recorded size
            \  * Got: 1039
            \  * Expected: 1026
            \ and without -p just works! so fixing 2remanifest script to not use -p with repoman
        * time emerge --verbose --tree --update --deep --with-bdeps=y --changed-use --ask @world
          \ #NEXTTIME
          \ let's do this instead!
          \ Total: 178 packages (95 upgrades, 56 new, 5 in new slots, 22 reinstalls, 1 uninstall), Size of downloads: 3,788 KiB
          \ i installed glibc manually first, so:
          \ Total: 177 packages (94 upgrades, 56 new, 5 in new slots, 22 reinstalls, 1 uninstall), Size of downloads: 0 KiB
          \ duration: 464mins until first fail due to grsec permissions inside chroot!: 
          \ chmod: changing permissions of ‘/var/tmp/portage/sys-apps/util-linux-2.27/image//bin/mount’: Permission denied
          \ in sys-apps/util-linux-2.27
          \ also failed: sys-libs/pam-1.2.1-r1
          \ with: Setting caps 'cap_dac_override=ep' on file '/sbin/unix_chkpwd' failed:
          \ also failed: ERROR: net-misc/iputils-20121221-r2::gentoo failed (postinst phase):
          \ (no error message)
          \ Note: went back into history(above) and set some grsec via sysctl so the above may not be an issue anymore!
        - ln -sf /usr/share/zoneinfo/Europe/Bucharest /etc/localtime
        - time emerge -nav dhcpcd
          \ apparently I should already have udhcpc (busybox)
        * hash -r && env-update && source /etc/profile && source ~/.bash_profile
        * time perl-cleaner --all
          \ 12m30s
        * time emerge @preserved-rebuild
          \ rebuilds 18 packages
          \ duration: 127m11s
        * hash -r && env-update && source /etc/profile && source ~/.bash_profile
        * time emerge --verbose --tree --update --deep --with-bdeps=y --changed-use --ask @world
          \ rerun this because of the fails earlier, now they're handled
          \ Total: 19 packages (9 upgrades, 6 new, 1 in new slot, 3 reinstalls), Size of downloads: 0 KiB
          \ duration: 153m26s
        * time emerge @preserved-rebuild
        * time emerge --depclean -av
          \ this removes gcc 4.8.5 too!
        * time emerge @preserved-rebuild
          \ yep this still had 1 package to recompile now after --depclean, it's perl!
          \ duration: 17m11s
        * time emerge -nav localepurge genkernel gentoolkit dmraid livecd-tools scripts mingetty
          \ omitting failing package: memtest86+
          \ sys-apps/memtest86+-5.01-r1
          \ Total: 18 packages (18 new), Size of downloads: 309 KiB
          \ duration: 75m50s
        * hash -r && env-update && source /etc/profile && source ~/.bash_profile
      * time emerge -nav sys-apps/hwsetup
        \ hwsetup is needed for autoconfig to work on boot!
        \ duration: 3m34.533s
      * time emerge -nav media-sound/alsa-utils
        \ this is needed for unmute to work(fails by not find alsasound or something) when autoconfig(on boot) is trying to start up
        \ without this autoconfig just fails
        \ wait, why is this then not a dependency of autoconfig ? or what am I missing here? autoconfig AND unmute are both part of (equery b /etc/init.d/autoconfig) package: app-misc/livecd-tools-2.0.4  and yep unmute depends on alsasound which doesn't exist as /etc/init.d/alsasound  but looks like  media-sound/alsa-utils definitely installs it! Reported issue: https://bugs.gentoo.org/show_bug.cgi?id=561498
        \ duration: 15m12s (some other compilation was happing in the background though)
      * delete dhcpcd so that autoconfig doesn't use it which in turn messes up my route table on bare metal!
        * time emerge --depclean -av net-misc/dhcpcd
      - (don't get dhcpcd!) autoconfig needs dhcpcd installed or else it still works but spews an error when trying to execute it and I'm not sure if this has any other side effects (like as if set -e was enabled; apparently this is not happening though)
        * time emerge -nav net-misc/dhcpcd
          \ 1m17.236s
          \ FIXME: maybe need some configuration options to be set!
          \ so I don't need to have dhcpcd installed for my case since I've enp0s3 script which brings up that interface via some other kind of dhcp - busybox's udhcpc which is exactly this(used): /lib64/netifrc/net/udhcpc.sh
          \ FIXME: note that kernel cmdline nodhcp is ignored by this autoconfig AND by udhcpc scripts (net.lo symlinks) - OH WAIT, it didn't get passed by syslinux via "go nodhcp" (go is the label)
        * add resolv.conf.tail to have a nameserver selected
          \ note that since we've installed dhcpcd, it will overwrite /etc/resolv.conf  and so if we use .tail we can replace a line inside with the google dns server.
          * vim /etc/resolv.conf.tail
            \ nameserver 8.8.8.8
      - time emerge -nav virtualbox-guest-additions
        \ this needs hardened-sources package installed(or else it tries to get gentoo-sources package!) and not just having copied, as I did, /usr/src/linux* folders over.
        \ I wanted this only for when booting the iso inside virtualbox.
        \ TODO: maybe some other time.
      * time emerge -nav bc
        \ or else, kernel compilation will fail:
        \ */bin/sh: bc: command not found
        \ *kernel/time/Makefile:30: recipe for target 'kernel/time/timeconst.h' failed
        \ duration: 3m1s
      * time emerge -av =app-misc/mc-9999
        \ midnight commander, because we could use this inside livecd
        \ 3 packages, dur: 23m27s
        \ cvs? really! FIXME: modify the mc-9999 ebuild to not require cvs package! /usr/portage/app-misc/mc/mc-9999.ebuild Hmm, need to check what's autopoint(submodule of sorts? inside mc git?) [[ -n ${LIVE_EBUILD} ]] && DEPEND="${DEPEND} dev-vcs/cvs" # needed only for SCM source tree (autopoint uses cvs)
      * linux firmware (radeon and amd cpu microcode is here)
        \ https://wiki.gentoo.org/wiki/AMD_microcode
        * time emerge -nav sys-kernel/linux-firmware
          \ 2m40s
          \ not bothering to edit that "config"
          \ need because: make[1]: *** No rule to make target '/lib/firmware/radeon/SUMO_me.bin', needed by 'firmware/radeon/SUMO_me.bin.gen.o'.  Stop.
      * need btrfs command
        * time emerge -nav sys-fs/btrfs-progs
          \ Total: 3 packages (3 new), Size of downloads: 0 KiB
          \ 12m32s
      * network
        \ XXX: this activates enp0s3 only(inside virtualbox)! so ignore that the other 2 fail! eth0 and p2p1! they may work if you boot on bare metal tho! (boot tested only inside virtualbox 5.0.0); p4p1 gets activated on my z575 bare metal!
        * time emerge -nav sys-apps/biosdevname
          \ 2m24s
        * for extra options(like setting domain name to homenetwork) if needed, see:
          \ https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/System#Host_and_domain_information
        * emerge --ask --noreplace net-misc/netifrc
          \ this adds it to favs.
        * (remember we're in chroot!) rm /etc/conf.d/net
          \ already doesn't exist
        * vim /etc/conf.d/net
          \ new file!
          * both
            \ config_eth0="dhcp"
            \ config_enp0s3="dhcp"
            \ config_p2p1="dhcp"
            \ config_p4p1="192.168.0.2 netmask 255.255.255.0 brd 192.168.0.255"
            \ routes_p4p1="default via 192.168.0.1"
          - dhcp  (needs only p4p1 for my bare metal z575 laptop; in virtualbox is enp0s3)
            \ config_eth0="dhcp"
            \ config_enp0s3="dhcp"
            \ config_p2p1="dhcp"
            \ config_p4p1="dhcp"
            \ #set them all! one of them will probably work...
          - if static IP
            \ use different IP name here than what you used on liveCD, so that you don't have to edit out the ~/.ssh/known_hosts line due to different fingerprint when ssh-ing later on
            \ The /etc/conf.d/net file does not exist by default, so needs to be created.
            \ config_eth0="192.168.0.2 netmask 255.255.255.0 brd 192.168.0.255"
            \ routes_eth0="default via 192.168.0.1"
            \ config_enp0s3="192.168.0.2 netmask 255.255.255.0 brd 192.168.0.255"
            \ routes_enp0s3="default via 192.168.0.1"
            \ config_p2p1="192.168.0.2 netmask 255.255.255.0 brd 192.168.0.255"
            \ routes_p2p1="default via 192.168.0.1"
            \ config_p4p1="192.168.0.2 netmask 255.255.255.0 brd 192.168.0.255"
            \ routes_p4p1="default via 192.168.0.1"
            \ turns out these enp2s0 and enp3s0 cards in my former desktopPC(not virtualbox!) don't get transformed into p2p1 -like bios names!
        * set them up to start on "boot"
          - cd /etc/init.d
          * ln -s /etc/init.d/net.lo /etc/init.d/net.eth0
            \ in case the below 2 fail (they did with hardened uclibc)
          * ln -s /etc/init.d/net.lo /etc/init.d/net.enp0s3
          * ln -s /etc/init.d/net.lo /etc/init.d/net.p2p1
          * ln -s /etc/init.d/net.lo /etc/init.d/net.p4p1
            \ on bare metal
          * (we set them anyway!) //apparently these aren't(?) needed maybe due to autoconfig using them automatically?(at least that's what it seems like from the official admincd.iso), let's try without them:
            * rc-update add net.eth0 default
            * rc-update add net.enp0s3 default
            * rc-update add net.p2p1 default
              \ XXX: this p2p1 appears instead of enp0s3 due to sys-apps/biosdevname being installed !
              \ inside virtualbox
            * rc-update add net.p4p1 default
              \ XXX: it's p4p1 on my bare metal! instead of p2p1
          * rc-status
            \ to see what we did
      * autoconfig? this means all the net.* above are not needed
        * rc-update add autoconfig default
          \ this definitely didn't bring up my p4p1 but then again, I didn't have /etc/conf.d/net AND a dhcp server listening to give it IP, so maybe that's why!
          \ done: this won't start due to /usr/sbin/hwsetup not existing and thus /etc/init.d/hwsetup start  failing.
        - ln -s /etc/init.d/autoconfig /etc/runlevels/default/
      * done: see what other runlevels are necessary
        * boot
          \ device-mapper
          \ dmcrypt
          \ lvm
          \ mdraid
          * rc-update add device-mapper boot
          * rc-update add dmcrypt boot
          * rc-update add lvm boot
        * default
          \ fixinittab
          \ autoconfig
          \ //syslog-ng
          \ FIXME: add fixinittab to runlevel default (admincd has it)
          - rc-update add fixinittab default
            \ no! this gets autologin as root and clears the screen in prealabil
          * rc-update del fixinittab default
          * rc-update del netmount default
            \ if any
      * need eudev for this binary to exist: /sbin/udevd or else it will complain that udev couldn't start(at livecd boot)
        * time emerge -nav '>=sys-fs/eudev-3.1.2'
          \ 2 packages, dur: 9m50s
      - (this doesn't work unless it's on kernel cmdline!) no framebuffer attempt on boot
        \ or use kernel cmdline: radeon.modeset=0
        * vim "/etc/modprobe.d/radeon-kms.conf"
          \ //vim "${LIVECD}/source/etc/modprobe.d/radeon-kms.conf"
          * contents:
            \ options radeon modeset=0
          * doesn'twork: this needs kernel recompile if it wasn't set before! so that genkernel can include /etc/modprobe.d/* files into initramfs! (tested to not work, having this file but without running genkernel in prealabil)
            \ Note: For nVidia based cards, add "nomodeset" to the kernel command line
            \ src: http://kb.digium.com/articles/FAQ/How-to-disable-the-Linux-frame-buffer-if-it-s-causing-problems
      - time USE=alsa emerge -nav media-sound/mpg123
        \ XXX: audio works inside virtualbox, not on bare metal though!
        \ getting this so I can listen to something while installing/compiling (when booted from iso)
        \ Total: 13 packages (13 new), Size of downloads: 851 KiB
        \ duration: 52m33s
        \ extra 10m49s with the alsa flag, afterwards. still not working...
        * time USE="alsa sdl portaudio oss jack -ipv6" emerge -av mpg123
          \ Total: 7 packages (6 new, 1 reinstall), Size of downloads: 6,904 KiB
          \ an extra : 24m10s
        * mp3 to test
          \ https://archive.org/download/testmp3testfile/mpthreetest.mp3
          \ mpg123 -a hw:0,0 mpthreetest.mp3
      * time emerge -nav links
        \ dur: 15m31.718s
      * time emerge -nav colordiff
        \ need this just in case
        \ like 2mins (forgot to look)
      * time emerge -nav parted
        \ 10m40.359s
      * time emerge -nav app-portage/mirrorselect
        \ Total: 18 packages (18 new), Size of downloads: 0 KiB
        \ 23m53.314s
        \ yep not worth it!
      * kernel
        * exit out of chroot or get into another terminal and do this outside of chroot:
          \ as to avoid this: mknod: console: Operation not permitted
          \ during genkernel (apparently at end of kernel compilation)
          * sysctl -w kernel.grsecurity.chroot_deny_mknod=0
            \ #NEXTTIME
        * cd /usr/src/linux
        * make nconfig
          * General -> File systems
            * <*> The Extended 4 (ext4) filesystem
              \ CONFIG_EXT4_FS
              \ this for the extra partition that we add near the iso on the usbstick!
              \ not module because... no good reason
            * [*]   EXT4 debugging support
              \ CONFIG_EXT4_DEBUG
            * -*- Miscellaneous filesystems  --->
              * <*>   SquashFS 4.0 - Squashed file system support
                \ CONFIG_SQUASHFS
                * File decompression options (Decompress file data into an interm
                * Decompressor parallelisation options (Use percpu multiple decom
                * -*-     Squashfs XATTR support
                * [*]     Include support for ZLIB compressed file systems (NEW)
                * rest are deselected!
            * CD-ROM/DVD Filesystems  --->
              * <*> ISO 9660 CDROM file system support
              * other options don't matter (apparently!)
              * TODO: look into zisofs to reduce used/written space on usbstick with option [*]   Transparent decompression extension
            * Pseudo filesystems  --->
              * [*] Tmpfs virtual memory file system support (former shm fs)
          * Device Drivers  --->
            * [*] Block devices  --->
              * <*>   Loopback device support
              * <*>   RAM block device support
                * (16)    Default number of RAM disks (NEW)  
                * (32768)  Default RAM disk size (kbytes) (NEW)
                  \ default: (4096)  Default RAM disk size (kbytes) (NEW)
                  \ the dec.2012 article says it wants 9000
          * already have usb mass storage support selected with the specific realtek card
          * TODO: unpatch the black screen with radeon prevention, in an attempt to see if we can have textonly kernel
            * /patches/portage/sys-kernel/hardened-sources/prevent_blackscreen_due_to_lacking_fbcon.patch
        * time genkernel all --bootdir="/boot" --install --symlink --no-splash --no-mountboot --makeopts="-j4 V=0" --no-keymap --lvm  --no-mdadm --no-dmraid --no-zfs --no-multipath --no-iscsi --disklabel --luks --no-gpg --no-netboot --no-unionfs  --no-firmware --no-integrated-initramfs --compress-initramfs --compress-initrd --compress-initramfs-type=best --loglevel=5 --color --no-mrproper --no-clean --no-postclear --oldconfig
          \ yeah /boot already exists with /.keep file inside
          \ #NEXTTIME recompile takes: 7m38s (with zlib option selected for squashfs, since I forgot it!)
        * do this outside of chroot:
          * sysctl -w kernel.grsecurity.chroot_deny_mknod=1
            \ #NEXTTIME
        * cd /boot
          \ #NEXTTIME
          \ get the latest files and copy them as initrd/vmlinuz
          * cp --archive -- initramfs-genkernel-x86_64-4.1.7-hardened-g45b4b78 initrd
          * cp --archive -- kernel-genkernel-x86_64-4.1.7-hardened-g45b4b78 vmlinuz
      * time emerge -nav vim
        \ need it
        \ duration: 13m46s
      * clean extra locales
        - emerge app-admin/localepurge
          \ already emerged above
        * eselect locate list
          \ make note of these
        * vim /etc/locale.nopurge
          * delete all locales
          * delete: NEEDSCONFIGFIRST
          * these should remain:
            \ MANDELETE
            \ SHOWFREEDSPACE
            \ VERBOSE
          * add the ones from the eselect above, so:
            \ C
            \ en_US
            \ en_US.iso88591
            \ en_US.utf8
            \ POSIX
        * time localepurge
          \ 11s
        - time makewhatis -u
          \ apparently makewhatis is part of sys-apps/man which isn't installed even on my outside-of-chroot!(but I've 'man' there which is part of sys-apps/man-db-2.7.3 )
          \ this is supposed to "reindex" they say.
        * time mandb
          \ 5m49s
        * time mandb -u
          \ 1s
      - Delete wrong symbolic links
        * find / -type l ! -xtype f ! -xtype d -ok rm -f {} \;
          \ don't run this because it wants to delete /dev/disk/by-uuid/* for example which are from outside of chroot
      - delete ".keep" files that are necessary to restore empty directories
        * find / -type f -xdev -name ".keep" -print -exec rm {} \;
      * time emerge -nav mlocate
        \ 2m49s
        * time updatedb
          \ 9s
      - time emerge -nav sys-boot/grub-static
        \ installs: sys-boot/grub-static-0.97-r12
        \ need that /lib/grub/i386-pc/stage2_eltorito which is 128116 bytes size, sha512: 0506f786634bffed2333c4efe4708f6c4876961bcdf33726228e05b7bcf907072e1831ddec8533d3824e892b62de2bb6707880d219ba57ff370205b3aa1ebe8b
        \ duration: 1m44s
      - time emerge -nav =grub-9999-r1
        \ Total: 2 packages (2 new), Size of downloads: 1,725 KiB
        \ media-libs/freetype-2.6 sys-boot/grub-9999-r1
        \ 19m54s
        \ this is not the version that we want!
      - vim /etc/default/grub
        \ change timeout from 1 to 10:
        \ GRUB_TIMEOUT=10
        \ wait, this has no effect... if we're using menu.lst below, right?
        \ TODO: rm this file
      - mkdir -p /boot/grub/
      - vim /boot/grub/menu.lst
        \ default 0
        \ timeout 7
        \ 
        \ title=LiveCD
        \ kernel /boot/vmlinuz real_root=/dev/loop0 looptype=squashfs loop=/livecd.squashfs initrd udev nodevfs cdroot dodmraid CPUunderclocking ipv6.disable=1 pnp.debug=1 loglevel=9 log_buf_len=10M printk.always_kmsg_dump=y printk.time=y mminit_loglevel=0 memory_corruption_check=1 nohz=on rcu_nocbs=1-3 pcie_aspm=force fbcon=scrollback:4096k fbcon=font:ProFont6x11 apic=debug dynamic_debug.verbose=1 dyndbg="file arch/x86/kernel/apic/* +pflmt ; file drivers/video/* +pflmt ; file drivers/input/* -pflmt ; file drivers/acpi/* -pflmt" acpi_backlight=vendor radeon.audio=0 radeon.lockup_timeout=20000 radeon.test=0 radeon.agpmode=-1 radeon.benchmark=0 radeon.tv=0 radeon.hard_reset=1 radeon.aspm=1 radeon.msi=1 radeon.pcie_gen2=-1 radeon.no_wb=1 radeon.dynclks=0 radeon.r4xx_atom=0 radeonfb radeon.fastfb=1 radeon.modeset=1 radeon.dpm=1 radeon.runpm=1 rd.debug rd.udev.debug rd.memdebug=3 net.ifnames=1 console=tty1 earlyprintk=vga slub_debug=U noefi dolvm dobtrfs
        \ #notice that " are not escaped like \" because it will err like: unknown flag '\' in '\"'
        \ initrd /boot/initrd
        \ 
        \ title=LiveCD ask
        \ kernel /boot/vmlinuz real_root=/dev/loop0 looptype=squashfs loop=/livecd.squashfs vga=ask initrd udev nodevfs cdroot dodmraid CPUunderclocking
        \ initrd /boot/initrd
      * remove any old modules
        \ there are none the first time you're doing this
        \ #NEXTTIME
        * cd /lib/modules
          \ there's no /lib64/modules/ dir btw!
        * du -sh *
          \ keep the newly generated one (currently shows only one)
        * otherwise rm -rf other folders
      - cp --archive -- "/lib/grub/i386-pc/stage2_eltorito" "/boot/grub/"
        \ needed for mkisofs later, outside of chroot
      * exit chroot
        \ #NEXTTIME
      * cd "${LIVECD}/source"
        \ already still here.
        \ #NEXTTIME
      * restore grsec stuff
        * sysctl -w kernel.grsecurity.chroot_deny_mount=1 ; sysctl -w kernel.grsecurity.chroot_deny_chmod=1 ; sysctl -w kernel.grsecurity.chroot_deny_chroot=1
          \ #NEXTTIME #RESTORE
      * prepare resolv.conf
        * echo 'nameserver 8.8.8.8' > ./etc/resolv.conf
      * more virtual consoles and dmesg on the 10-12th ones
        * cp --archive --verbose -- /etc/inittab ./etc/inittab
      * get vim plugins for root too! (notice that ./root/.vim/ doesn't exist!)
        * cp --archive --verbose -- /home/zazdxscf/.vim ./root/
        * vim ./root/.vimrc
          \ .vimrc changes for virtual console (TERM=linux  and locale is C)
          * change an existing line to:
            \ highlight Comment ctermbg=none ctermfg=darkgray
            \ " ^ for .wofl  lines beinning with minus -  to not be white(that 26)
          * remove the if-end surrounding: execute pathogen#infect()  so that root can use the wofl plugin
      * mkdir -vp "${LIVECD}/source/boot/isolinux/"
        * cp --archive --verbose --target-directory "${LIVECD}/source/boot/isolinux/" -- /usr/share/syslinux/isohdpfx.bin /usr/share/syslinux/isolinux.bin /usr/share/syslinux/ldlinux.c32 /usr/share/syslinux/{{vesa,c,}menu,libutil}.c32
          \ XXX: hmm, will not boot at all without libutil.c32 if you have UI menu.c32  in .cfg
          \ we copy all menus, although only menu.c32 would be needed!
          \ // not needed in target, but I wanna make sure it doesn't get modified if I specify its original path! like mkisofs did for ... i forget, maybe stage2_eltorito file ? (not boot.catalog)  ok, no changes detected(with diff) to any of these bin files after xorriso below got executed!)
          \ only isolinux.bin is needed in /tmp/target/isolinux/
          \ isohdpfx.bin just needs to be fullpath specified at xorriso cmdline
        * vim "${LIVECD}/source/boot/isolinux/isolinux.cfg"
          \ UI menu.c32
          \ PROMPT 1
          \
          \ MENU TITLE Boot Menu
          \ DEFAULT go
          \ TIMEOUT 600
          \ ONTIMEOUT go
          \ #F1 f1.txt
          \
          \ LABEL go
          \ MENU LABEL go baby
          \ KERNEL /boot/vmlinuz
          \ INITRD /boot/initrd
          \ APPEND real_root=/dev/loop0 looptype=squashfs loop=/livecd.squashfs initrd cdroot ipv6.disable=1 pnp.debug=1 loglevel=9 log_buf_len=10M printk.always_kmsg_dump=y printk.time=y mminit_loglevel=0 memory_corruption_check=1 nohz=on rcu_nocbs=1-3 pcie_aspm=force fbcon=scrollback:4096k fbcon=font:ProFont6x11 apic=debug dynamic_debug.verbose=1 dyndbg="file arch/x86/kernel/apic/* +pflmt ; file drivers/video/* +pflmt ; file drivers/input/* -pflmt ; file drivers/acpi/* -pflmt" acpi_backlight=vendor radeon.audio=0 radeon.lockup_timeout=20000 radeon.test=0 radeon.agpmode=-1 radeon.benchmark=0 radeon.tv=0 radeon.hard_reset=1 radeon.aspm=1 radeon.msi=1 radeon.pcie_gen2=-1 radeon.no_wb=1 radeon.dynclks=0 radeon.r4xx_atom=0 radeon.fastfb=1 radeon.dpm=1 radeon.runpm=1 rd.debug rd.udev.debug rd.memdebug=3 net.ifnames=1 console=tty1 earlyprintk=vga slub_debug=U noefi dolvm dobtrfs CPUunderclocking radeon.modeset=0
          \ no framebuffer(works in virtualbox with gentoo's admincd): vga=normal
          \ nofb vga=normal nomodeset video=vesafb:off fbcon=map:1
          \ #removed: udev nodevfs dodmraid
          \ #removed: radeonfb 
          \ replaced with nofb !! (testing to see if it works now; definitely doesn't work without nofb so far) we don't want framebuffer due to small scrollback!
          \ nofb and lack of radeonfb still enables framebuffer, so try next:
          \ vga=normal nomodeset video=vesafb:off fbcon=map:1
          \ if only one driver is available, fb0, adding fbcon=map:1 tells fbcon not to take over the console.
          \ src: kernel/Documents/fb/fbcon.txt
          \ there's also: fbcon=vc:6-7
          \ the only thing that works(and doesn't just blank like the map one) is the radeon.modeset=0 at kernel cmdline (tested) [the modprobe.d/ conf doesn't work!]  but this will LIKELY need to be set to 1 for X (startx) to be able to get into graphics mode (even though virtualbox is able to do from text to X and back without problems; but that's it's on non-radeon driver)
      * umount --recursive --verbose --lazy -- ./patches ./ccache ./usr/portage/distfiles ./tmp ./var/tmp/portage/ ./var/tmp/ ./proc ./sys ./dev ./run
        \ #NEXTTIME
      - hash -r && env-update && source /etc/profile && source ~/.bash_profile
        \ this shouldn't be needed!
      - mkdir -p "${LIVECD}/target/files/source"
      - rm -vrf "${LIVECD}/target/boot/" "/tmp/target/boot/"
      - rsync --delete-after --archive --hard-links --quiet ${LIVECD}/source/boot ${LIVECD}/target/
      - cp --archive --reflink=always --verbose -- "${LIVECD}/source/boot" "${LIVECD}/target/"
      - choose one of the following! depending on if this is the first time or any subsequent times:
        * firsttime?
          * time rm -rf "${LIVECD}/target/files/source"
            \  //1m
            \ //1m20s
            \ //1m9s
            \ 1m3s
            \ 1m16s
            \ 1m15s
          * time cp --archive --reflink=always -- "${LIVECD}/source/" "${LIVECD}/target/files/source"
            \ run this only first time!
            \ //with --verbose, duration: 7m46s
            \ //removed --verbose for next time, duration: 6m54s
            \ dur: 5m47s 306,072 files 9.2G
            \ FIXME: need rsync with reflink! because most of the files we don't want(like over 200k of them! and over 5G)
            \ TODO: maybe just usr rsync the second time, it should shave a ton of minutes even though it will use extra space when compared to cp --reflink
            \ 5m31s
            \ 6m26s
            \ 5m14.264s
          * cleaning
            * rm -vrf "${LIVECD}/target/files/source/boot/"
              \ this is so that we don't get confused, this folder isn't used!
            * cd "${LIVECD}/target/files/source"
            * rm -v stage3-*.bz2
              \ yeah keep the DIGEST why not
            - ( cd ./usr/src/linux/ && make clean )
              \ before: 4.3G
              \ after: 697M
            * time rm -vrf ./usr/src/linux*
              \ not /usr/src/debug tho!
              \ //duration: 38.4s
              \ 36.2s
              \ 1.2G(+3.7G which I make cleaned already)
              \ 40s
              \ 0m39.273s
              \ 0s
            * rm -vrf ./var/log/*
              \ 66M
            * time rm -vrf ./usr/portage/
              \ 1.1G
              \ //1m23s
              \ //1m32s
              \ 1m28s
              \ 1m27s
              \ 1m28.175s
              \ 0s
            - rm ./var/run ; mkdir ./var/run
              \ it's a symlink and "iso9660 doesn't handle symbolic links"
              \ wait, then how teh! what about the ton of symlinks: find . -type l
              \ oh wait, it's gonna be squashfs-ed so symlinks will work!
            - rm -rf ./etc/portage
              \ 123k, we keep it then
              \ we also keep the /gpg/ dir this way, which is used to check webrsync sigs
            * 
        * subsequent times?
          * time rsync --verbose --delete-excluded --delete-after --archive --hard-links --exclude="/usr/portage/" --exclude="/usr/src/linux*" --exclude="/var/log/*" --exclude="/boot/" --exclude="stage3-*.bz2" "${LIVECD}/source/" "${LIVECD}/target/files/source"
            \ this is eating space, as opposed to cp --reflink=always which basically doesn't at all.
            \ dur: 1m1s
            \ 1m20.933s
            \ 1m21.637s  (only one file was added: resolv.conf.tail ; it just takes this long to compute)
      * Building the LiveCD
        - cd "${LIVECD}/target/files"
        - rm -vf "${LIVECD}/target/livecd.squashfs" "/tmp/target/livecd.squashfs"
        - rm -vrf "/tmp/target/livecd.squashfs" "/tmp/target/boot/"
        * rm -vrf "/tmp/target/boot/"
          \ #NEXTTIME
          \ no need to remove the already existing(if any) livecd.squashfs file! it gets overwritten (not updated) anyway.
        * mkdir -vp /tmp/target/boot/
          \ #NEXTTIME
        * time mksquashfs "${LIVECD}/source" "/tmp/target/livecd.squashfs" -comp gzip -b 1M -no-exports -xattrs -noappend -exit-on-error -progress -Xcompression-level 1 -e "${LIVECD}/source/usr/src/linux"* "${LIVECD}/source/var/log/"* "${LIVECD}/source/boot/" "${LIVECD}/source/stage3-"*.bz2 "${LIVECD}/source/usr/portage/"
          \ #NEXTTIME
          \ you can ommit the last path ("${LIVECD}/source/usr/portage/") so that portage stuff gets in (1.2G space; 0.5G in squashfs) and you can thus emerge stuff after having booted from the iso. (without this you may be able to emerge after you emerge-webrsync, but unsure/untested)
          \ this will skip using an intermediary /target/ source, saves disk space and time! esp. since we can just use exclude here!
          \ 7m40.532s Filesystem size 1076086.92 Kbytes (1050.87 Mbytes)
          \ 5m35.290s
          \ 91849 files, 8m46.679s Filesystem size 1091620.68 Kbytes (1066.04 Mbytes)
          \ 8m0.917s
          \ 18m1.903s  (with /usr/portage/) Filesystem size 1520479.09 Kbytes (1484.84 Mbytes) 255796/255796 files with 30222 dups
          \ 18m23.828s Filesystem size 1520479.13 Kbytes (1484.84 Mbytes) 255796/255796 dups 30223
        - (was good with rsync above)time mksquashfs "${LIVECD}/target/files/source" "/tmp/target/livecd.squashfs" -comp gzip -b 1M -no-exports -xattrs -noappend -exit-on-error -progress -Xcompression-level 1
          \ into tmpfs
          \ if dest file exists, it get overwritten(recreated) immediately and without warning!
          \ SYNTAX:mksquashfs source1 source2 ...  dest [options] [-e list of exclude dirs/files]
          \ //dur: 9m37s (without any options!)
          \ //that's 3.5g into 1.1g  and 86778 files into 1 file.
          \ //Filesystem size 962129.84 Kbytes (939.58 Mbytes) 985,223,168 bytes
          \ dur: 4m26s 1.1g too (technically about 100meg more with level 1 compr.; filesize: 1,083,478,016 bytes)
          \ Filesystem size 1058083.02 Kbytes (1033.28 Mbytes) 1,083,478,016 bytes
          \ //what teh, now it's randomly 2,994,282,496 bytes and took 8m36s, I'm pretty sure the command hasn't changed! oh wait for some reason I've 306922 files; but ofc used the wrong 'source' folder(9.6gig)! fixed now by using absolute path!
          \ 7m54s Filesystem size 1058082.96 Kbytes (1033.28 Mbytes)
          \ command used was: time mksquashfs "${LIVECD}/target/files/source" "/tmp/target/livecd.squashfs" -comp gzip -b 1M -no-exports -xattrs -noappend -exit-on-error -progress -Xcompression-level 1
          \ ---
          \ 9m51s Filesystem size 950990.44 Kbytes (928.70 Mbytes)
          \ command used was: time mksquashfs "${LIVECD}/target/files/source" "/tmp/target/livecd.squashfs" -comp gzip -b 1M -no-exports -xattrs -noappend -exit-on-error -progress -Xcompression-level 9
          \ ---
          \ 8m19s Filesystem size 1268726.89 Kbytes (1238.99 Mbytes)
          \ 12m26s (cpu usage was taken by chromium)
          \ 7m10s Filesystem size 1064833.43 Kbytes (1039.88 Mbytes)
          \ 7m59.343s
          \ 8m22s
          \ 5m0.862s Filesystem size 1076086.94 Kbytes (1050.87 Mbytes)
          \ 8m1.259s Filesystem size 1076086.96 Kbytes (1050.87 Mbytes)
        - time mksquashfs source "${LIVECD}/target/livecd.squashfs"
          \ //8m58s
          \ //10m17s
          \ //12m39s
          \ //11m7s
          \ 10m41s
          \ 1.1G file
        - cp --archive -- "${LIVECD}/source/lib/grub/i386-pc/stage2_eltorito" "/tmp/target/boot/grub/"
        - cp --archive -- "${LIVECD}/source/lib/grub/i386-pc/stage2_eltorito" "${LIVECD}/target/boot/grub/"
          \ assumed sys-boot/grub-static-0.97-r12 is already installed
          \ need to run this everytime due to an ealier rm -rf on that boot dir.
        - cd "${LIVECD}"
        - (works only inside virtualbox, ignore this step!) time mkisofs -rock -eltorito-boot boot/grub/stage2_eltorito -no-emul-boot -boot-load-size 4 -boot-info-table -iso-level 4 -hide-rr-moved -eltorito-catalog boot.catalog -verbose -o "/tmp/livecd.iso" "/tmp/target"
          \ into tmpfs
          \ dur: 3.2s
          \ Note: apparently boot.catalog is created by mkisofs and transparently inserted into the iso, so you see no trace of it outside! src: http://www.tldp.org/HOWTO/Bootdisk-HOWTO/cd-roms.html seach for "boot catalog"
        - time mkisofs -rock -eltorito-boot boot/grub/stage2_eltorito -no-emul-boot -boot-load-size 4 -boot-info-table -iso-level 4 -hide-rr-moved -eltorito-catalog boot.catalog -verbose -o "${LIVECD}/livecd.iso" -x files "${LIVECD}/target"
          \ //17s
          \ //24s
          \ //48s
          \ 28s
        - NOTE: iso cd is at "/tmp/livecd.iso" weighing 1.1G (with du -c -s --si -P  so, at most!) 1083975680 bytes
        - iso cd is at "${LIVECD}/livecd.iso" weighing 1.1G (with du -c -s --si -P  so, at most!) 1051127808 bytes
          \ the whole dir ${LIVECD} currently is at 15G
        - time scp -P 8822 -4vp root@127.0.0.111:/tmp/livecd.iso /tmp
          \ TODO: use rsync here and see if there's any difference in speed (shouldn't be since they both use ssh)
          \ wow scp is limited at 10.5MB/s 10.9MB/s max! what the! (not even using compression!) Virtualbox starts using over 220% cpu, ssh using 40%, yep sshd using 190% inside vbox and 34% scp. So I guess ssh was doing compression(or not unless it's going to be enabled by default if not specified by scp; maybe's just encryption that uses that much CPU)!
          \ duration: //2m26s
          \ //3m40s
          \ //1m37s
          \ 1m56s
          \ any existing dest file is overwritten without warning! ie. /tmp/livecd.iso
          \ 1m38s
          \ 2m2s
      * to usb stick
        * arch xorriso method
          \ src: https://wiki.archlinux.org/index.php/Remastering_the_Install_ISO#Create_a_new_ISO
          \ need isolinux, files: isohdpfx.bin isolinux.bin
          \ already had them on host gentoo as per package syslinux was already installed! apparently
          * rm -vrf /tmp/target/boot/grub/
            \ #NEXTTIME
            \ done: don't need grub anymore
            \ we do keep initrd and vmlinuz though
            \ currently doesn't remove anything, because we didn't copy it above!
          - rm -rf /tmp/target/isolinux
            \ this is the second dir, safe to ignore removal, since the first one exists
            \ //old comment: we make sure there's nothing there or else it will fail to boot! as per: "ISOLINUX will search for the config file directory in the order /boot/isolinux, /isolinux, /. The first directory that exists is used, even if it contains no files. Therefore, please make sure that these directories don't exist if you don't want ISOLINUX to use them. " src: http://www.syslinux.org/wiki/index.php/Doc/isolinux
          - mkdir -p /tmp/target/boot/isolinux ; 
            \ already exists
          - cp --archive --verbose -- /usr/share/syslinux/isohdpfx.bin /tmp/target/boot/isolinux/ && cp --archive --verbose -- /usr/share/syslinux/isolinux.bin /tmp/target/boot/isolinux/ && cp --archive --verbose -- /usr/share/syslinux/ldlinux.c32 /tmp/target/boot/isolinux/
          * mkdir -vp /tmp/target/boot/isolinux/
            \ #NEXTTIME
          * cp --archive --verbose -- "${LIVECD}/source/boot/"{initrd,vmlinuz,isolinux/} "/tmp/target/boot/"
            \ #NEXTTIME
          * touch "/tmp/target/livecd"
            \ #NEXTTIME
            \ create the required empty livecd file. This file must be on livecd root, because the init script in initramfs uses this file to identify if the CD is mounted or not. 
            \ already exists on next time(run).
          - cp --archive --verbose --target-directory="/tmp/target/boot/isolinux/" -- /usr/share/syslinux/isohdpfx.bin /usr/share/syslinux/isolinux.bin /usr/share/syslinux/ldlinux.c32 /usr/share/syslinux/{{vesa,c,}menu,libutil}.c32
            \ XXX: hmm, will not boot at all without libutil.c32 if you have UI menu.c32  in .cfg
            \ we copy all menus, although only menu.c32 would be needed!
            \ // not needed in target, but I wanna make sure it doesn't get modified if I specify its original path! like mkisofs did for ... i forget, maybe stage2_eltorito file ? (not boot.catalog)  ok, no changes detected(with diff) to any of these bin files after xorriso below got executed!)
            \ only isolinux.bin is needed in /tmp/target/isolinux/
            \ isohdpfx.bin just needs to be fullpath specified at xorriso cmdline
          * time xorriso -as mkisofs -iso-level 3 -full-iso9660-filenames -volid "CUST_GENTOO" -eltorito-boot boot/isolinux/isolinux.bin -no-emul-boot -boot-load-size 4 -boot-info-table -isohybrid-mbr /tmp/target/boot/isolinux/isohdpfx.bin -eltorito-catalog boot/isolinux/boot.cat -verbose -output "/tmp/livecdhybrid.iso" "/tmp/target"
            \ #NEXTTIME
            \ //dur: 8s
            \ //10.5s
            \ 9.3s
            \ TODO: iso level 4 ?
            \ TODO: -rock ?
            \ not using: -hide-rr-moved  which was used by mkisofs with grub.
            \ 9.9s
            \ 0m8.970s
            \ 10.5s
            \ 0m10.074s
            \ 0m10.767s
            \ 0m10.553s
            \ 0m11.510s
            \ 0m12.564s
          - (use scp instead!it's faster)ok transfer from within virtualbox(gentoo non chrooted) to host(manjaro)
            \ src: http://intermediatesql.com/linux/scrap-the-scp-how-to-copy-data-fast-using-pigz-and-nc/
            * get 'nc' command
              * time emerge -nav net-analyzer/netcat
                \ duration: 
            * forward port in virtualbox(gentoo), Settings for this vm, Network, Port Forward button
              * name: scp equivalent
              * proto: tcp
              * hostip: 127.0.0.111
              * host port: 8888
              * guest IP: 10.0.2.15
              * guest port: 8888
            * on gentoo
              * nc -l -p 8888 < "/tmp/livecdhybrid.iso"
            * on manjaro
              * time nc 127.0.0.111 8888 > /tmp/livecdhybrid.iso
                \ returns after 1m18s if server isn't listening!
                \ dur: 3m55s  and we don't know when it's done this way, heh
                \ dang it! looks limited to 100mbit or something! scp was faster!
          * time scp -P 8822 -4vp root@127.0.0.111:/tmp/livecdhybrid.iso /tmp
            \ #NEXTTIME
            \ run this on host(outside of virtualbox)
            \ 1m46s
            \ 1m43s
            \ 1m49s
            \ 1m43s
            \ 1m38.925s
            \ 1m57s
            \ 2m3.443s
            \ 1m44.229s
            \ 2m34.106s
            \ 2m28.528s
            \ 2m1.164s
            \ 1m40.615s
            \ 2m24.138s
            \ 2m20.902s
          * now copy to usbstick(/dev/sde) losing all the existing data on it
            * time ( sudo dd if=/tmp/livecdhybrid.iso of=/dev/sde bs=6M && sync )
              \ #NEXTTIME
              \ 5m26s 1108705280 bytes (1.1 GB) copied, 325.787 s, 3.4 MB/s
              \ 5m3s  1108705280 bytes (1.1 GB) copied, 300.85 s, 3.7 MB/s
              \ 5m20s
              \ 5m19.371s
              \ 5m25.839s
              \ 5m6.545s
              \ 5m21.346s 1119682560 bytes (1.1 GB) copied, 319.47 s, 3.5 MB/s
              \ 3m34.484s 1119682560 bytes (1.1 GB) copied, 212.221 s, 5.3 MB/s
              \ 3m34.576s 1119682560 bytes (1.1 GB) copied, 212.483 s, 5.3 MB/s
              \ 3m35.753s 1134166016 bytes (1.1 GB) copied, 215.454 s, 5.3 MB/s
              \ 6m32.790s 1573978112 bytes (1.6 GB) copied, 390.668 s, 4.0 MB/s
              \ 6m43.247s
            * sudo blockdev --rereadpt /dev/sde
              \ #NEXTTIME
            * sudo cfdisk /dev/sde
              \ #NEXTTIME
              * add extra primary Linux partition(half of the left size) where to place this .wofl so that instructions are at hand (and writable for updates!)
                \ blah blah do it here, get: sde2
                \ 6G sde2
                \ recreate it even if it seems to already exist from earlier (don't know how big the iso was the second time you overwrite /dev/sde with it!
              * time sudo mkfs.ext4 /dev/sde2
                \ #NEXTTIME
                \ 37s
                \ 39s
                \ 0m36.323s
                \ 0m36.464s
                \ 0m37.171s
                \ 0m37.442s
                \ 40s
                \ 0m37.056s
                \ 0m35.794s
                \ 0m36.246s
                \ 0m37.331s
              * mount it and copy files
                \ wofl files
                \ ~/rsync/
                \ use sudo for copying!
                * sudo mount /dev/sde2 ~/here
                  \ #NEXTTIME
                * time sudo cp --archive --target-directory ~/here/ -- ~/gentooskyline/texts/*.wofl ~/gentooskyline/texts/workflowy/ ~/rsync/ ~/.ssh/ ~/bin/ ~/mpg123.eq
                  \ #NEXTTIME
                  \ removed --verbose to see any potential errors! (else too much noise)
                  \ ~/bin/ for rsyncy command which is used by ~/rsync/ scripts!
                  \ like 2-3 sec
                  \ 9.6s
                  \ 0m3.280s
                  \ 0m3.561s
                  \ yes copy my ssh key(s) and known_hosts, will need to git clone git@github.com:zazdxscf/gentooskyline.git with write(push) rights.
                  \ 0m2.320s
                  \ 0m1.776s 0m0.609s
                  \ 0m0.736s
                - sudo cp --archive -- ~/gentooskyline/texts/workflowy/ ~/here/
                - sudo cp --archive -- ~/rsync/ ~/here/
              * then unmount it
                * time ( sudo umount ~/here && sync && sudo eject /dev/sde )
                  \ last #NEXTTIME
                  \ 17s
                  \ 12s
                  \ 0m10.908s
                  \ 0m10.434s
                  \ 0m6.199s
                  \ 0m10.784s
                  \ 0m10.192s
                  \ 0m11.756s
                  \ 0m6.902s
                  \ 0m10.482s
        - the syslinux iso mode (see workflowy.wofl)
          \ fails too, because it reboots instead of showing livecd.iso's grub menu! no idea why/what
          \ this method also takes a while to load the iso into RAM at startup, a few minutes (maybe 3m30s?)
        - the dd iso to usbstick and lose all partitions
          \ fails, doesn't boot at all, black screen and goes on to next device(HDD, which works)
          * time ( sudo dd if=/tmp/livecd.iso of=/dev/sde bs=6M && sync )
            \ forgot to use time the first time, duration unknown
            \ 1107855360 bytes (1.1 GB) copied, 211.711 s, 5.2 MB/s
            \ dur: 4m8s
          * sudo blockdev --rereadpt /dev/sde
            \ lsblk
            \ looks like this is way different from admincd, as there are no partitions(or partition table!) now! so I can't add/create my own to add the .wofl files
          * sudo cfdisk /dev/sde
            \ do what?
          * sync
          * sudo blockdev --rereadpt /dev/sde
          * sudo eject /dev/sde
            \ safely remove hardware...
        - let's do the vfose.ru variant (didn't notice it existed)
          * copy script from: http://gentoo-en.vfose.ru/wiki/Build_Your_Own_LiveCD_or_LiveDVD#USB_Stick_drive
          * ...
        - also see: http://wiki.osdev.org/GRUB_2#Upgrading_from_GRUB_Legacy
        - arch linux hybrid?
          * time emerge -nav app-cdr/cdrkit
            \ install this on host (aka outside of chroot obviously)
            \ dur:
            \ oh wait, blocked by app-cdr/cdrtools
    - let's try a different variant (wait...)
      \ http://www.gentoo-wiki.info/HOWTO_build_a_LiveCD_with_Catalyst_for_newbies#Introduction
      * time emerge -nav catalyst
        \ 16 packages, dur: 
      * wait... maybe we try the vfose variant still.

* bigTODO:
  * forgot to install xmodmap, maybe this is why less was acting up!
    \ time emerge -nav x11-apps/xmodmap
  * time emerge -nav rust
    \ duration(until out of space fail): real  93m7.779s, user  193m16.869s, sys 17m29.623s
    \ space needed: over 14G !! so umount /var/tmp/portage and /var/tmp so they're not tmpfs!
    \ re-emerging, duration: real 79m27.754s, user  99m31.626s, sys 15m24.870s; do yep, no ccache!
    \ note the helper script for running gdb: /usr/bin/rust-gdb-1.3.0
    * time emerge -nav app-vim/rust-mode
      \ for vim
  * remove cpuid module from kernel; maybe also remove msr module  because we don't plan on running amdmsrtweaker-lnx anymore!
    \ this is needed for /usr/sbin/sensors-detect  apparently
  * changes to be done inside the iso
    * need hdparm command!
    * need iotop command.
    * need sudo command.
    * need ntpdate command.
      \ time emerge -nav net-misc/ntp
    * can't emerge anything while booted in the iso, due to: !!! No write access to '/mnt/livecd/usr/portage/distfiles'
      \ so remove /usr/portage/distfiles/ from being included into the iso.
      \ there is write access to the empty /usr/portage/distfiles/ dir
      * fix:
        * mount -t tmpfs -o rw,nosuid,relatime,nodev,size=90%,mode=775,uid=portage,gid=portage,x-mount.mkdir=775 tmpfs /usr/portage/distfiles/
        * now can emerge... but will fail the merge phase(so can't install packages that pull more than just one package(itself): 
          \ * One or more files installed to this package are set to be installed to
          \ * read-only filesystems. Please mount the following filesystems as read-
          \ * write and retry.
          \ *
          \ *      /mnt/livecd
    * set the right values in /etc/lvm/lvm.conf inside the iso before creating it!
    * need e-file command
      \ time emerge -nav pfl
    * there's no card* folder in: /sys/class/drm/
      \ so can't do this:
      \ echo 'thermal' > /sys/class/drm/card0/device/power_dpm_state
      \ there's this tho:
      \ # cat /sys/class/drm/version
      \ drm 1.1.0 20060810
    * need command: hexedit
    * need tlp installed and the setting for MAX_LOST_WORK_SECS_ON_AC=600
      \ so that metalog doesn't trash the disk when coupled with grsec spewing each executed command to syslog
      \ XXX: ok, there's no tlp in gentoo! apparently this was made for manjaro/archlinux only? unsure and it's only a bunch of bash scripts with a config in /etc/default/tlp
    * want nload command
    - resolv.conf must be nameserver 8.8.8.8
    - in inittab make F12 be dmesg (find out how)
    - need parted and mirrorselect
    - .vimrc changes for virtual console (TERM=linux  and locale is C)
      * change an existing line to:
        \ highlight Comment ctermbg=none ctermfg=darkgray
        \ " ^ for .wofl  lines beinning with minus -  to not be white(that 26)
      * remove the if-end surrounding: execute pathogen#infect()  so that root can use the wofl plugin
    - copy /home/emacs/.vim/ folder into /root/  (cp --archive)
      \ so we have the wofl plugin files! and pathogen... etc.
  * git clone git@github.com:zazdxscf/amdmsrtweaker-lnx.git
    \ you need to have my ssh key because this clones for write/push access!
  - add swap partition, inside LUKS ofc
    \ why? because compiling chromium (inside virtualbox on 10827M RAM selected in vbox options) will get ld killed! (it used to work before(eg. for 2498 build), barely; but not since 2508 chromium build)
  - (rsync'd)add USE flag binpkg-multi-instance
    \ added in current installation for testing
  * should move gcc-5.2.0 compilation at the install stage to cache all compilations, like kernel! or else later when some gcc_colorize.so(which is in kernel tree apparently) needs to be used(for compiling x11-drivers/xf86-video-virtualbox-5.0.2), requires kernel recompilation with gcc 5.2.0 and that can't use the previous ccache due to new gcc version.
  - add LVM so that I can later on add new HDDs(inside virtualbox) and add them to lvm to increase space (need btrfs resizing too! must look into that)
  - get in that eutils.eclass patch
    \ notify_when_patches_folder_inaccessible_by_portage.patch
    \ it's in gentoo/quilt.patches/ 
    \ apparently no package owns /usr/portage/eclass/eutils.eclass which is kinda odd(?) but then for sure it got there via stage3 or even portage snapshot (via webrsync -v -k)
    \ FIXME: looks like patching /usr/portage/eclass/eutils.eclass after each emerge-webrsync (via hooks) 'causes the next emerge to rebuild whatever (ebuild.sh depend) everything (portage list of all packages? depends and stuff) which takes like 15mins(I can't remember actually)
  - see if we can do without dbus! - we can't, we need Restart/Shutdown buttons ungreyed in xfce! can't do without dbus
    * see if shutdown/reboot are enabled in menus after -dbus USE flag and re-emerging @world
  - see if nosuid needs to be removed from /var/tmp/portage  eg. for chromium binary will be suid in order for sandbox to work.
    \ find / \( -perm -4000 -fprintf /root/suid.txt '%#m %u %p\n' \)
    \ hmm, apparently sys-apps/shadow-4.2.1-r1 which I recently emerged(update) has multiple suid files already in filesystem which means the nosuid in all 3 tmpfs locations, one of which is used by portage(/var/tmp/portage), had no effect on the suid bit!
  * making grub rescue media
    \ dev-libs/libisoburn for Create rescue media (grub-mkrescue)
    * time emerge -nav dev-libs/libisoburn
      \ needed for cmd: xorriso
      \ else you get this error when grub2-mkrescue:
      \ grub2-mkrescue: warning: Your xorriso doesn't support `--grub2-boot-info'. Some features are disabled. Please use xorriso 1.2.9 or later..
      \ grub2-mkrescue: warning: Your xorriso doesn't support `--grub2-boot-info'. Your core image is too big. Boot as disk is disabled. Please use xorriso 1.2.9 or later..
      \ duration: 18m58s
      \ installs 1.4.0 and 2 more packages: libisofs libburn
    * grub2-mkrescue --verbose --compress=xz --output=/tmp/moo.iso
      \ so: --core-compress=xz fails: grub2-mkrescue: --core-compress: (PROGRAM ERROR) Option should have been recognized!?
      \ also just --core-compress
      \ but --core-compress1 works until the end: xorriso : FAILURE : -as mkisofs: Unrecognized option '--core-compress1'
      \ apprently doesn't need /boot (or /bewt) mounted to work.
    * untested!
  - (maybe we don't do this) add "minimal -dbus" to firefox, before emerging! (don't add to global USE, because both are toggled there!), see: equery u firefox    for what those use flags do for firefox.
  * get virtualbox(only do this on bare metal computer, not inside a virtualbox guest OS already)
    \ done: this may need to switch to vanilla gcc, we'll see; but it definitely needs switching OFF ccache! - needs none anymore
    \ 9 packages
    \ NOTE: you can't run virtualbox inside a virtualbox guest due to this error: AMD-V is not available. (VERR_SVM_NO_SVM).  and the Acceleration tab is disabled so, impossible?
    - (already there) make sure USE=extensions  is set, in /etc/portage/make.conf
      \ this is to compile the extpack  so you don't have to emerge the binary-only one
    - (already) make sure  USE=qt4  so that you get the virtualbox GUI !!!
    - . /etc/profile
    * time emerge -nav virtualbox
      \ Total: 13 packages (13 new), Size of downloads: 114122 KiB
      \ duration: 10m43.026s until app-emulation/virtualbox-modules-5.0.4 fails with:
      \ /var/tmp/portage/app-emulation/virtualbox-modules-5.0.4/work/vboxdrv/linux/SUPDrv-linux.c:1:0: error: code model kernel does not support PIC mode
      \ which means we need to not use ccache
      * time CCACHE_DISABLE=1 emerge -nav app-emulation/virtualbox-modules
        \ dur: 1m49.091s
        * vim /etc/conf.d/modules
          \ if I'm using openrc(which I am), then they say I've to add these modules:
          \ modules="vboxdrv vboxnetflt vboxnetadp"
          \ TODO: will add later.
        * time emerge -nav virtualbox
          \ dur: 10m16.105s until fail:
          \    ** gcc version 5.2 found, expected gcc 3.x with x>1 or gcc 4.x with 0<x<10 or gcc 5.1!
          \ added patch, rerunning,
          \ duration: 39m20.348s, user  81m30.770s, sys 19m49.213s
          \ recompiled for next version 5.0.6, duration: 39m35.131s, user 82m48.156s, sys 19m52.497s
    * gpasswd -a zazdxscf vboxusers
      \ Adding user emacs to group vboxusers
      \ because you must be in vboxusers group to run virtualbox!
      \ "You must be in the vboxusers group to use VirtualBox."
      \ XXX: now this only has effect on next login!
    - time emerge -nav app-emulation/virtualbox-extpack-oracle
      \ OH WAIT! news: Starting with version 5.0.0, virtualbox no longer has the "additions" and the "extension" USE flag. for the USB2, USB3, VRDP and PXE boot ROM modules, please emerge app-emulation/virtualbox-extpack-oracle
      \ DANG IT!
      \ WARNING: this installs some precompiled .so files !! it doesn't compile anything! it also uses a different license!
      \ //DON'T use this, set USE=extensions  instead! before compiling source
      \ //damn, this gets installed anyway! - no it doesn't! (anymore?)
      \ don't install it for now, maybe not needed(for my using).
    - done: find out where is the executable and why isn't it already in the menus and on cmdline!!! because of USE=-qt4
    * make sure these modules are added to autoload
      * vim /etc/conf.d/modules
        \ modules="vboxdrv vboxnetadp vboxnetflt"
        \ the modules=  line must not exist multiple times in this file!
  * get Qemu/KVM instead of VirtualBox since it wouldn't need to relax PAX/grsecurity flags
    \ using: https://wiki.gentoo.org/wiki/QEMU
    * grep --color -E "vmx|svm" /proc/cpuinfo
      \ got svm
    * ensure kernel config
      \ [*] Virtualization  --->
      \    <M>   Kernel-based Virtual Machine (KVM) support
      \ that adds module: kvm
      \    <M>   KVM for AMD processors support
      \ that adds module: kvm_amd
      \    <M>   Host kernel accelerator for virtio net
      \ that adds module: vhost_net
      \ [*] Networking support  --->
      \    Networking options  --->
      \      <M> The IPv6 protocol
      \ this adds module: ipv6
      \      <M> 802.1d Ethernet Bridging
      \ this adds module: bridge
      \ Device Drivers  --->
      \    [*] Network device support  --->
      \        [*]   Network core driver support
      \        <M>   Universal TUN/TAP device driver support
      \ this adds module: tun
      * other stuff that's already selected (for me) 
        \ Kernel hacking  --->
        \        Compile-time checks and compiler options  --->
        \                    [*] Debug Filesystem
      * python USE flag is needed for file capabilities support
        * vim /etc/portage/package.use/qemu
          \ app-emulation/qemu python filecaps
        * time emerge -nav qemu
          \ Total: 7 packages (7 new), Size of downloads: 29066 KiB
          \ dur:
        - vim /etc/portage/make.conf
          \ USE=python
        - time emerge --verbose --tree --update --deep --with-bdeps=y --changed-use --ask @world
          \ Total: 27 packages (7 new, 20 reinstalls), Size of downloads: 83416 KiB
          \ yeah let's not do this globally!
  * use something else(dracut maybe?) instead of genkernel so that we can fully control the boot process and image generation! eg. using custom scripts for boot process and knowing exactly how the image gets generated (like mkcpio stuff)
  * epic emerge conflicts? add --backtrack=30
    \ eg.
    \ time FEATURES="-stricter" emerge --verbose --tree --update --deep --backtrack=30 --with-bdeps=y --changed-use --ask @world
  - get wine (we don't want this)
    * time emerge -nav wine
      \ this includes gecko and mono !!
      * needs ncursesw or something!! due to error in sys-apps/gptfdisk-1.0.0! (aka the unstable one)
        \ the only other package is sys-apps/gptfdisk-0.8.10  (aka the stable one)
  * (grub)auto choose last option (so use saved env, somehow; maybe we have to not use btrfs in /bewt ? search above for: grubenv)
    * make /bewt ext2 or ext4 instead of btrfs so we can use grub env
  * get at least 2 kernels (the hardened and the latest git) just in case to avoid that btrfs mount log thingy in the future or who knows what other issues!
    * must ensure first in list is not the latest(which would be the git version) but rather the hardened which is a previous(than git) version, but this gets auto ordered by whatever grub scripts in conf.d
      * maybe see if we can use non-btrfs /bewt and thus then we can use that grub save env feature! (yep already said this)
  - after a power failure (lost power while in X, aka blackout, or just hard reset computer) then system gets stuck at:
    \ https://bugs.gentoo.org/show_bug.cgi?id=548452
    \ fixed, it's because of this: https://btrfs.wiki.kernel.org/index.php/Gotchas
    \ remeber to zero the log somehow, via btrfs-zero-log
    \ AND update to kernel 3.19.6
    * enter luks password wrongly 3 times
      * enter: shell
      * dmesg -n 8
      * cryptsetup --verbose --allow-discards luksOpen /dev/sda3 lvm_on_luks_on_sda3_root
      * lvm lvchange --verbose -a y vgall
        \ the opposite of this is: lvm lvchange --verbose -a n vgall
      * one of
        \ note: cannot be killed ! eg. if you add and &  and then kill -9 on it, nope!
        * mount -t auto -o ro
        * mount -o ro /dev/mapper/vgall-rootlvol /
  - see how to access previous dmesg logs and set the value of how many to keep
    * vim /etc/metalog.conf
      \ TODO: these changes were not tested yet!
      * change all 'minimum =' to some big number like *1000 more
      * do same for maxsize, maxtime, maxfiles
    * ls -la /var/log/everything/
      \ that's where all the logs will be
  - virtualbox-guest-additions (in non-hardened gentoo profile)
    * time emerge -nav '>=virtualbox-guest-additions-5.0.2'
      \ 4 packages, 7m10s until fail
      \ kmk: *** No rule to make target `/var/tmp/portage/app-emulation/virtualbox-guest-additions-5.0.0/work/VirtualBox-5.0.0/out/linux.amd64/release/lib/additions/VBoxDnDGuestR3Lib.a', needed by `/var/tmp/portage/app-emulation/virtualbox-guest-additions-5.0.0/work/VirtualBox-5.0.0/out/linux.amd64/release/obj/VBoxControl/VBoxControl'.  Stop.
      \ that ^ is with ccache!!
      - XXX: to fix, get 5.0.2 instead! //get patch from this bug: https://bugs.gentoo.org/show_bug.cgi?id=554952#c12  this is an .ebuild patch! (don't put it in /etc/portage/patches !)
        * cd
        * wget 'https://554952.bugs.gentoo.org/attachment.cgi?id=407970&action=diff&collapsed=&context=patch&format=raw&headers=1' -O bug554952.patch
        * cd /usr/portage/app-emulation/virtualbox-guest-additions
        * patch -Np5 -i ~/bug554952.patch
        * repoman -pv  --digest=y  --ask manifest
          \ XXX: note, this doesn't pretend, doesn't ask, it just updates the manifest!
          \ current dir matters!
          \ apparently this is what I used to regen manifest(eg. checksum of the modified aka now-patched .ebuild)
      - next issue due to git kernel: nd_set_link, nd_get_link and others
        \ /var/tmp/portage/app-emulation/virtualbox-guest-additions-5.0.0/work/VirtualBox-5.0.0/src/VBox/Additions/linux/sharedfolders/lnkops.c:49:18: error: implicit declaration of function 'nd_get_link' [-Werror=implicit-function-declaration]
        \ /var/tmp/portage/app-emulation/virtualbox-guest-additions-5.0.0/work/VirtualBox-5.0.0/src/VBox/Additions/linux/sharedfolders/lnkops.c:43:5: error: implicit declaration of function 'nd_set_link' [-Werror=implicit-function-declaration]
        \ FIXME: ??
    - time CCACHE_DISABLE=1 emerge -nav virtualbox-guest-additions
      \ 1 packages, without ccache 5m48s until the same fail.
  - so apparently(tested) there's another way to disable ccache by setting CCACHE_DISABLE=1 and this doesn't require resetting PATH to not point to ccache's gcc and also doesn't require setting FEATURES="-ccache" although this latter one is probably better!(except for the need to also set PATH!!) eg.
    * time CCACHE_DISABLE=1 emerge -nav '=virtualbox-guest-additions-4.3.26'
      \ 5m38s
      \ or 16 packages: 10m20s
      * add user to vboxguest group
        \ gpasswd -a zazdxscf vboxguest
        \ needs relogin to have effect!
      * make sure we're already using mesa lib
        * eselect opengl list
          \ [1] xorg-x11 *
          * if not do: eselect opengl set xorg-x11
      * vim /etc/X11/xorg.conf.d/30_dri.conf
        \ ensure this is uncommented (although probably unneeded because it picked it up before anyway)
        \ Driver "vboxvideo"
        \ NOTE: this file doesn't exist!! I don't know which package added it! I think I created this manually!
        \ Section "Device"
        \  Identifier "Device0"
        \  Driver "vboxvideo"
        \ #  BusID "PCI:0:1:0"
        \  Option "DRI" "true"
        \  Option "AccelMethod" "EXA"
        \ EndSection
        \
        \
        \ Section "DRI"
        \  Group "video"
        \  Mode 0666
        \ EndSection
      * NOTE: to mount shared folders within virtualbox do: mount -t vboxsf sharedfoldername mountpoint
        * and you have to be in vboxsf group to be able to access them! or else only root can!  
          \ gpasswd -a zazdxscf vboxsf
          \ needs relogin to have effect!
      * rc-update add virtualbox-guest-additions default
    - time FEATURES="-ccache" emerge -nav virtualbox-modules
      \ this is for running virtualbox apparently; not for running guest inside virtualbox! so we only need this on the bare metal
      \ not needed by guest additions
      \ needs ccache disabled because of the PIC mode error and CCACHE_DISABLE=1 does not work for this! needs the FEATURES="-ccache"  one, hmm interesting but apparently true (I tried the =1 first and then the -ccache one which worked; saying this just in case the first one messed up with the env vars like PATH and made the latter one work)
      * vim /etc/conf.d/modules
        \ maybe needed!! probably not!
        \ vboxdrv vboxnetflt vboxnetadp
  - (was done)merge inhere stuff from gentoo_desktop.wofl
  - add * in hosts.deny and only what u need in hosts.allow
    \ see if this works on gentoo, since manjaro/arch linux disabled this feature completely!
    \ XXX: well this isn't what I thought! it only blocking incoming(clients) to local servers; NOT outgoing connections from local!
  * TODO: see if we need jail for anything
    \ see: https://wiki.gentoo.org/wiki/Jail
    * run them inside their own jails
  - logjam updates
    \ src: https://weakdh.org/sysadmin.html
    \ looks like this after:
    \ debug1: kex: server->client aes256-ctr hmac-sha2-512-etm@openssh.com none
    \ debug1: kex: client->server aes256-ctr hmac-sha2-512-etm@openssh.com none
    * add to ssh client
      * vim /etc/ssh/ssh_config
        \ MACs hmac-sha2-512-etm@openssh.com
        \ KexAlgorithms curve25519-sha256@libssh.org
        \ i don't know if Kex* is for ssh client TOO! apparently it does!
        \ Ciphers aes256-ctr
        \ ^ should've already existed!
    * add to sshd_config
      * vim /etc/ssh/sshd_config
        \ KexAlgorithms curve25519-sha256@libssh.org
        \ that mac is already added!
        \ ensure the Kex* line doesn't appear already! if it does, overwrite it!
        \ Ciphers aes256-ctr
        \ ^ should've already existed!
  * ssh tunnel (tun)
    * vim /etc/ssh/sshd_config
      \ PermitTunnel point-to-point
    * /etc/init.d/sshd restart
    * add tun in kernel config
      \ //[*] Networking support  ---> 
      \ //Networking options  ---> 
      \ //<M>   IP: tunneling    (  not needed !)
      \ go back to main,
      \ Device Drivers  --->
      \ [*] Network device support  --->
      \ <M>     Universal TUN/TAP device driver support
      \ that is:
      \ CONFIG_TUN=m
      \ CONFIG_INET_TUNNEL=m  (auto selected and hidden - you can't select it!)
      \ CONFIG_NET_IP_TUNNEL=m (same ^)
      \ !!!!! ALSO ADD CONFIG_NF_TABLES and suboptions while you're at it!
      \ !!!! there's more see BELOW search nftables below!
      * prepare kernel for compilation (and compile it, update grub etc.)
        * cryptsetup --verbose --allow-discards luksOpen /dev/sda2 luks_on_sda2_boot
        * mount /bewt
        * . /etc/profile
        * time FEATURES="-ccache" genkernel all --bootdir="/bewt" --install --symlink --no-splash --no-mountboot --makeopts="-j4 V=0" --no-keymap --lvm  --no-mdadm --no-dmraid --no-zfs --no-multipath --no-iscsi --disklabel --luks --no-gpg --no-netboot --no-unionfs  --no-firmware --no-integrated-initramfs --compress-initramfs --compress-initrd --compress-initramfs-type=best --loglevel=5 --color --no-clean --oldconfig --no-mountboot --no-postclear
          \ so apparently if --kernname=^Cnkernel (yes ^C the two chars!) then on boot it will fail to load most modules and thus luks device will not be able to mount (so no password asked, just some error which doesn't seem related to module not being loaded) - and that's because grub2-mkconfig is only searching for initramfs-genkernel-* filenames so it was using an old one or none!
        * grub2-mkconfig -o /bewt/grub/grub.cfg 2>&1
        * umount /bewt
        * cryptsetup --verbose luksClose /dev/mapper/luks_on_sda2_boot 
      * add tun module to autoload
        \ this isn't needed, as ssh -w 5:5 (that part) autoloads the module itself(somehow) but this is for when you need to have the tun interface already loaded for briging up interface before ssh does the -w part!
        * vim /etc/conf.d/modules
          \ modules="tun"
          \ just make sure there isn't a modules=  line already! if so, add to it instead!
        * vim /etc/conf.d/net
          \ tuntap_tun5="tun"
          \ config_tun5="192.168.244.1/24"
        * ln -s /etc/init.d/net.lo /etc/init.d/net.tun5
        * rc-update add net.tun5
      * reboot for this kernel to have any effect!
    * start the tun via ssh, example from client PC (yes this should reside on my client PC, to run whenever I wanna establish utox connection, before running utox):
      \ src: https://wiki.archlinux.org/index.php/VPN_over_SSH
      \ sudo ssh \
      \  -o PermitLocalCommand=yes \
      \  -o LocalCommand="sudo ifconfig tun3 192.168.244.2 pointopoint 192.168.244.1 netmask 255.255.255.0" \
      \  -o ServerAliveInterval=60 \
      \  -w 3:5 root@127.0.0.19 -p 8822 \
      \  'sudo ifconfig tun5 192.168.244.1 pointopoint 192.168.244.2 netmask 255.255.255.0; echo tun5 ready'
      \ then C-c when done - it auto closes ssh and tun devices
    * recompile tox/utox
      * layman -s tox-overlay
        \ bring up to date the repo
      * make sure the patches are in place in /etc/portage/patches
      * time emerge -av tox utox
      - run DHT_bootstrap in /root
        \ this is temporary, a script will manage this
      - run utox after startx which will connect to this DHT node.
        \ this is temporary
      * NOTE: if sound is lower pitched aka slowed it's because of this:
        \ [   24.040933] snd_intel8x0 0000:00:05.0: clocking to 48000
        \ not always being 48000 but rather something like 41131 (or something)
        \ only happens in virtualbox (so far)
        \ a soft reboot(even from guest OS) will just fix it - tested once.
    * need dig command for own IP lookup
      * time emerge -nav net-dns/bind-tools
  * deny* access to router IP
    \ *via nft firewall
    * get nft command
      * time emerge -nav net-firewall/nftables
        * recompile kernel with CONFIG_NF_TABLES set ! (see above on how to recompile)
          \ and who knows what others! all its suboptions
          \ also, inside of: IP: Netfilter Configuration  --->
          \ <M> ARP packet logging 
          \ <M> IPv4 packet logging
          \ <M>   IPv4 nf_tables route chain support
          \ and CONFIG_NF_TABLES_ARP aka ARP nf_tables support
          \ and <M> IPv4 NAT and suboptions
          \ and outside, in:
          \ <M>   Ethernet Bridge nf_tables support  --->
          \ and all its suboptions!
          \ outside, in  Core Netfilter Configuration  --->
          \ [*] NFQUEUE integration with Connection Tracking
          \ <M>   LOG target support
    - (already put in place with rsync)cp /home/emacs/routerdeny.nft /var/lib/nftables/rules-save
      \ FIXME: oh but wait, this gets overwritten(eg. nft rules gets saved into this file! thus losing all formatting and any comments it previously had when put there first time by rsync)
      \ new file (should not already exist)
      \ This is ignored: /etc/conf.d/nftables.rules
      \ /home/emacs/routerdeny.nft was scp-ed by you:
      \ eg. on host: scp -P 8822 -4vp ~/routerdeny.nft root@127.0.0.19:/home/emacs/
    * 
    * rc-update add nftables default
      \ rc-service nftables start
      \ to start it now
  - remove rsync soon after chroot, AND in admincd
    \ nevermind...
    \   net-misc/rsync-3.1.1 pulled in by:
    \    @system requires net-misc/rsync
    \    sys-apps/portage-2.2.18 requires >=net-misc/rsync-2.6.4
  * don't forget to copy host's /etc/gitconfig aka git config --list --system
  * ufed to tidy up use flags
    \ when you run it you get a menu with all flags, can save changes (in make.conf)
    \ "ufed edits the USE flag settings in your make.conf file only. It can not be used to edit your  package.use file."
    * time emerge -avtn app-portage/ufed
      \ 1m8s
  * word diffs with wdiff
    - (not needed) time emerge -navt app-text/wdiff
    * get git wdiff alias
      \ there's wdiff in git already as: git diff --color-words
      \ src: https://idnotfound.wordpress.com/2009/05/09/word-by-word-diffs-in-git/
      * git config --global alias.wdiff "diff --color-words"
        \ you may check ~/.gitconfig  for [alias] section
  - switch to zazdxscf user as soon as possible to compile stuff as non-root !
    \ ok this doesn't work, emerge -S can be used by non-root(non-sudoed) users or anything with --pretend  but it won't allow normal use to install packages! so userpriv is the only thing that works in this context even though ./configure will run as root and that's why ccache need that CCACHE_UMASK="0002" env var!
    * use $ and # in front of commands (here in this .wofl file)
    * use another ssh session for the non-root user and only emerge stuff from within it.
  - get quilt for generating patches
    \ emerge -nav quilt
    \ 1m36s
    \ how to use: http://www.mpagano.com/blog/?p=25
    \ quilt new patchname.patch
    \ quilt edit file  (to auto add file to patch then run vim on it)
    \ quilt diff  (see what's changed since new patch)
    \ quilt refresh  (to ensure the  quilt diff   is saved into the patch file)
  * patch emerge to NOT copy to the destination if the file exists(in case of re-emerges) and it has the same contents (ie. by checksum comparison, or diff comparisions) - also check if it removes files from previous emerge when reemerging, or it leaves them untouched before copying over them.
  - install pfl and use  e-file cmdhere  instead of  equery b cmdhere  to find out which (non-installed!) package provides the command
    \ https://wiki.gentoo.org/wiki/Pfl
  * holyf that kexec works http://gentoo-en.vfose.ru/wiki/Kexec
    - keyboard was locked up due to Shift+PgUp/Dn attemps which didn't work, after and while a reboot with kexec but apparently works ok if instead is left alone(not press keys) until booted to login prompt. XXX: locks up due to RShift being held down (likely during kexec boot, but not during boot) https://bugzilla.kernel.org/show_bug.cgi?id=92881
  - add mosh and tmux to replace ssh
    * actually use mosh instead of ssh
  * zfs lacks TRIM https://github.com/zfsonlinux/zfs/pull/1016
    * when TRIM is implemented, then you can consider using ZFS, but be aware that they are not very active in fixing bugs ie. https://github.com/zfsonlinux/zfs/labels/Bug%20-%20Major
      \ https://pthree.org/2012/12/04/zfs-administration-part-i-vdevs/
      \ http://www.solarisinternals.com/wiki/index.php/ZFS_Evil_Tuning_Guide#Overview
      \ http://www.solarisinternals.com/wiki/index.php/ZFS_Best_Practices_Guide
      \ https://wiki.gentoo.org/wiki/ZFS
      \ https://en.wikipedia.org/wiki/ZFS#Features
  - make separate /boot partition that's luks with a different key - ie. different luks device than root
  * make 4G btrfs LVM root and resize it later after install
    \ to train myself how to resize it
    \ I think I need to boot from livecd, or online resizing works? hmm
    \ https://wiki.gentoo.org/wiki/LVM#Extend_LV
    \ btrfs filesystem resize max /mnt
    \ src: http://www.funtoo.org/BTRFS_Fun
    \ "And yes, it is an on-line resize, there is no need to umount/shrink/mount."
  - ensure cpu firmware is included in kernel (this may not be needed inside virtualbox)
  * check grub2-install param --pubkey and see if it applies for non-EFI too
    \ to boot signed kernel
    \ "--pubkey=FILE  embed FILE as public key for signature checking"
    \ see: info grub  18.2 Using digital signatures in GRUB
    * can I run coreboot inside virtualbox? what about in other emulators?
      \ apparently not in virtualbox, yet, but yes in QEMU
  - enable debug USE flag
    \ http://www.gentoo.org/proj/en/qa/backtraces.xml
    \ XXX: only enable this flag per package, never globally (don't put it in USE in /etc/portage/make.conf)
  - ccache
    \ emerge --ask dev-util/ccache
    \ more to do: https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Caching_compilation_objects
  * XXX: don't make /home on separate partition because btrfs would be less effective this way; TODO: but what if it were a subvolume?
  - /var/tmp must be like /tmp  - tmpfs !
    \ ONLY for when enough ram is available, apparently only 50% (2G out of 4G) RAM is used for any tmpfs, by default !
    * find a way to use 75% of RAM with any tmpfs
  - emerge --ask app-crypt/gnupg
    \ to have gpg inside chroot !
  - add sshd early so we can actually copy/paste!
    \ /etc/init.d/sshd start
  * see FIXME ones
  * emerge --color y --search something | less -R
    \ this may be better than e-file  except that e-file searches online and can probably find non-existent ones too.
  * use eix instead of emerge --search  ; this is better than e-file ! (try: e-file eutils (no results) then eix eutils and you see a bunch with that word in their name)
    \ more info: https://wiki.gentoo.org/wiki/Eix
    \ search is way faster ie. eix kernel  or  eix -S -c corba
    * time emerge -navt eix
      \ //5m24s (oldtime)
      \ //5m32s (with 2 youtube vids playing in firefox)
      \ 12m7s
    * time eix-update
      \ to create the database, before you can use eix
    - but DON'T use eix-sync -w -v  WARNING: because it can't keep the downloaded file as emerge-webrsync -k could! (I don't see an option to pass -k to it)
      \ will do emerge-webrsync (instead of emerge --sync) which is the only thing we want since it checks gpg signature (when webrsync-gpg option is set in FEATURES)
      \ but since can't pass -k then don't use it!
      - DON'T use emerge-delta-webrsync
        \ Looking for available base versions for a delta
        \ no base found.  resorting to pulling a full version
        \ uhmmmm
        \ also it doesn't download or check gpgsig!!!
        * emerge --ask emerge-delta-webrsync
        * eix-sync -W -v
          \ -W to use it
  * read cheat sheet
    \ https://wiki.gentoo.org/wiki/Gentoo_Cheat_Sheet
  * when in X, get to this: XDG cache to tmpfs
    \ https://wiki.gentoo.org/wiki/SSD#XDG_cache
  * SSD optimizations
    * read and apply some stuff from here:
      \ https://wiki.gentoo.org/wiki/SSD#Considerations
  - TODO: remove unicode USE flag, for the next install/try
    \ -unicode
  * get a new kernel .config stripped for virtualbox (lots of work/time)
  * make genkernel build kernel inside RAM instead of /usr/src/linux - this only makes sense when using ccache, otherwise we do want to keep object files around to reduce compilation time next time genkernel --no-clean is ran.
    \ 1.2G used after compilation
    \ OR/AND TODO: just skip using genkernel and do it manually
    \ https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Kernel
  - add reboot/shutdown users
  - ensure tmpfs are mounted in fstab
    - find out how to rbind /tmp to /var/tmp inside /etc/fstab
      \ http://backdrift.org/how-to-use-bind-mounts-in-linux
      \ XXX: actually I don't want to do this, because if /tmp and /var/tmp are the same then I won't know if a certain existing file was created in /tmp or in /var/tmp and besides this doesn't use any extra RAM
  * make sure kernel has Whirlpool support, not just sha stuff
  - check out LUKS
    \ https://wiki.gentoo.org/wiki/DM-Crypt_LUKS
    \ info grub  - can boot from luks
  * check out gpg luks
    \ man 7 dracut.cmdline search for rd.luks.key
  * grub gpg signed kernel
    \ https://balu-wiki.readthedocs.org/en/latest/linux/grub2.html#boot-only-signed-kernel-and-ramdisk
    \ info grub
  * find a way to make emerge show FEATURES too, when emerge --ask --verbose  , not just USE flags
  - remove that SYNC line from make.conf at the right point and write it in this .wofl
  * don't actually use discard flag, use fstrim instead, because just in case I wanna recover some recently accidentally deleted file but also because deleting a ton of files at once is freezy
